How to Hunt for Threat Events with Falcon Discover for AWS

Introduction

You can’t protect what you can’t see.  Falcon Discover for AWS provides visibility into these critical infrastructure environments. 

Infrastructure administrators and security teams struggle to determine the extent of an organization’s data environment and where security solutions are deployed. This is particularly true for cloud environments. It can be challenging for security teams to obtain relevant information. Information such as how many EC2 instances do I have? What type of EC2 instances do I have? or how many of my instances have internet access? Yet, security teams need that information to take an efficient proactive stance to improve their overall security posture.

Falcon Discover for AWS provides extensive and detailed visibility over EC2 instances, helping improve their overall security posture.  It highlights EC2 instances that do not have the Falcon sensor installed, allowing customers to quickly identify security gaps. Furthermore EC2 instances with Falcon installed, provide rich AWS specific context.  This allows analysts to implement timely changes, effective triage, and response actions to security events.

Video

About Falcon Discover for AWS

Falcon Discover for AWS provides extensive and detailed visibility over EC2 instances.  It quickly enumerates existing EC2 deployments across all regions (including instances without the Falcon sensor installed) and subsequently monitors cloud trail logs for any modifications to the environment. The Falcon Management Console highlights all EC2 assets running across all AWS accounts and regions in one centralized view. This dashboard also highlights instances that do not have Falcon installed, allowing customers to quickly identify security gaps. In addition, rich AWS specific context will be presented to allow for timely triaging and response to security events on EC2 instances.

AWS Dashboard

  • Manage the unmanaged – Quickly and efficiently discover all EC2 instances and identify unprotected / unmanaged assets, allowing them to rapidly take needed action.

 

  • Enriched context – Discover additional details about each EC2 instance with Falcon installed. This will assist analysts, while triaging detections, in having more context about the impacted system. Is this system internet accessible? Does it have IAM roles applied with elevated privileges? Is it on the same VPC as other critical assets etc?

 

  • Consistent visibility over all instances and endpoints – As organizations implement hybrid data centers, with workloads running on-premises and in the cloud, consistent security becomes more difficult and problematic. Discover and Discover for AWS provides consistent visibility over their endpoints, irrespective of whether they are running on-premises or as an EC2 instance in AWS.

 

  • Improved efficiency – Time is a scarce resource for IT and security teams. Too often they find themselves having to pivot across a variety of tools and workflows, as they attempt to span physical, virtual and cloud environments. Falcon Discover provides use a single tool that allows them visibility over their AWS EC2 instances and existing on-premises endpoints.

 

  • Frictionless deployment – Visibility of an EC2 instance across all regions and accounts is achieved almost instantaneously, without having to install any further software – there are no reboots, no install scripts to be run, no scans etc – all of which ensures that the instance is neither disrupted or has it’s performance impacted.

 

  • Built in the cloud for the cloud – As a cloud native application, it scales easily, instantly deploying endpoint security onto any EC2 instance with no hit to performance and no requirement to reboot.

 

More resources

CrowdStrike Falcon Free Trial
 

Try CrowdStrike Free for 15 Days Get Started with A Free Trial