Back to Tech Center

How Identity Analyzer Improves Cloud Security

August 6, 2021

CrowdStrike Tech Center

Introduction

The growing use of public cloud infrastructure not only expands the attack surface, but it also increases the management complexity and risk. As demonstrated with the Sunburst attack, the adversary is looking to take advantage of the human error and misconfigurations that can be common with cloud deployments. Leveraging CrowdStrike’s wealth of cloud experience, Falcon Horizon provides cloud security posture management to help organizations identify those security issues and indicators of misconfiguration.

Video

Cloud Security Posture Management

As part of Falcon Horizon, CrowdStrike has developed policies for various cloud services that can be monitored and reported in the Falcon user interface. The filter quickly highlights services by provider including the Azure Identity service.

cspm identity analyzer policies

For each provider, the policies for each supported service are listed including the default severity and policy type along with links to any relevant compliance information. There are options to enable the different policies and configure a custom severity for each registered cloud account.

cspm identity policy list

Enabled policies are then included in regularly scheduled assessments. The main dashboard illustrates an overview of recent findings across all of the registered cloud accounts and providers. Service misconfigurations are shown on the left, while the behavioral assessment findings on the right  focus on activities or patterns that could be malicious.

cspm identity analyzer dashboard

Azure Identity Analyzer

In addition to being able to assess different services and policies, CrowdStrike provides pre-configured dashboards for each cloud provider. For Azure, the Application Registration dashboard consolidates information from various Azure configurations and presents it on one, easy to reference page. The pull down menus can be used to quickly filter the applications for delegated or application permissions to ensure that applications have the correct permission levels. The checkboxes are available to highlight where privileged permissions have been granted.

Azure application registration

In this example, there is one application that has two associated certificates and three different secrets. While that is not prohibited, it is unusual and could be used as a backdoor or persistence mechanism. That kind of anomaly should be monitored and investigated. The dashboard also reports the lifespan associated with certificates and secrets. An unusually long life may indicate a backdoor as attackers would want their access to persist as long as possible. These kinds of anomalies should be monitored and investigated.

azure multiple certificates

Similarly, the Azure Active Directory Users dashboard provides insight into the active directory and subscription roles applied to each user. Pull down menus reveal every assigned role for the subscription and enable quick filtering of the supporting user list. Like before, checkboxes are available to highlight users with privileged permissions.

Azure AD users

The supporting list includes summary information for each user including status and authentication method. The sort option is available to quickly find outliers. In this example, there are two users without multi factor authentication enabled.

Azure MFA sort

AWS Identity Analyzer

The AWS IAM User report can be filtered on username, multi-factor authentication status and permissions to quickly assess any compliance issues.

cspm identity analyzer AWS user

Looking beyond user accounts, the AWS IAM Permission Audit has filter options such as service, action, policy name and group assignment so you permissions issues can be quickly identified and resolved.

CSPM identity analyzer permissions

In this example, the list has been filtered to only show permissions around the IAM policy with the authority to delete a role.

cspm identity analyzer IAM permissions

Conclusion

Attacks that leveraged misconfigurations are on the rise. Falcon Horizon and Identity Analyzer provide the visibility and assessment needed to quickly identify potential exposures and take action to improve overall cloud security.

More resources

Related Content

TRY CROWDSTRIKE FREE FOR 15 DAYS

GET STARTED WITH A FREE TRIAL