Back to Tech Center

Using Falcon Spotlight for Vulnerability Management

February 4, 2022

Tech Center
CrowdStrike Tech Center

Introduction

This document and video will demonstrate how to use Falcon Spotlight to assess, report and research vulnerabilities in your environment while overcoming the challenges with traditional vulnerability management solutions.

Video

Spotlight for Reporting

Falcon Spotlight leverages CrowdStrike’s single management platform and lightweight agent to provide organizations with access to vulnerability assessment information. The sensor provides real time results on protected Windows, Linux and Mac systems with no time consuming, impactful system scans or a requirement for any network hardware. In this demonstration, we are going to review three different use cases for Falcon Spotlight and how this solution can add value to your organization.

On the main dashboard, you have a top level overview of the vulnerabilities in your environment.

spotlight dashboard

There is a chart to track open vulnerabilities over time as well as recommended remediations and remediations by severity. These charts are designed to help organizations prioritize their efforts to maximize impact.

spotlight remediations

The dashboard updates as you pivot and filter the vulnerability data with the Falcon search bar, and clicking on the tables will provide the supporting details. Custom filters can be saved for future reference or the ability to create custom dashboards.

spotlight dashboard filters

From the Falcon Spotlight Dashboard, there are also statistics regarding “Closed vs Open” vulnerabilities. These statistics give a good understanding of how quickly patches are being applied as well as vulnerability trends over time. In the example below, a filter is applied to report on a single CVE.

spotlight statistics

Spotlight for Research

Falcon Spotlight includes the functionality to research a specific vulnerability and the potential exposure in your environment. Looking closer at a specific CVE provides information on remediation, CVSS score, exploit status and the list of vulnerable hosts in the environment. There is an option to export the list making it easy to share the information with patch management teams, and CrowdStrike also provides the option to patch systems directly from the CrowdStrike user interface.

spotlight vulnerable hosts

Also, from anywhere in the Falcon user interface, the universal search feature is available. Searching on a CVE ID will yield information about the vulnerability and impacted hosts as well related environment data such as detections, incidents and quarantined files.

spotlight universal search

Spotlight for Investigations

In the situation of an incident or compromised system, Spotlight can also be used to assess the health of a given host. This host has a number of open vulnerabilities across multiple applications. Again, the export option can be used to share this information with the patch management team to prioritize the remediation.

spotlight host vulnerabilities

The valuable vulnerability data can also be found in the actor profiles. When an actor is known to use a specific CVE, Falcon Spotlight provides additional context by showing the number of vulnerable hosts corresponding to each CVE.

fancy bear actor page

Conclusion

Falcon Spotlight provides holistic access to the vulnerability status of your environment with simple reporting and real time results without introducing complex hardware or time consuming scans. It provides complete, actionable reporting to help make your organization more secure.

More resources

Related Content