How Identity Analyzer Improves Cloud Security

Introduction

The growing use of public cloud infrastructure not only expands the attack surface, but it also increases the management complexity and risk. As demonstrated with the Sunburst attack, the adversary is looking to take advantage of the human error and misconfigurations that can be common with cloud deployments. Leveraging CrowdStrike’s wealth of cloud experience, Falcon Horizon provides cloud security posture management to help organizations identify those security issues and indicators of misconfiguration.

Video

Cloud Security Posture Management

As part of Falcon Horizon, CrowdStrike has developed policies for various cloud services that can be monitored and reported in the Falcon user interface. The filter quickly highlights services by provider including the Azure Identity service.

CSPM Azure policies

For each registered account, there are options to enable the different policies and configure a custom severity. Enabled policies are then included in regularly scheduled assessments. When applicable, the policies also include details around CIS benchmarking. The link provides specifics about the guideline including a description, rationale and audit procedure.

azure identity CIS guidline

Identity Analyzer

In addition to being able to assess different services and policies, CrowdStrike provides pre-configured dashboards specific to Azure Identity. The Application Registration dashboard consolidates information from various Azure configurations and presents it on one, easy to reference page. The pull down menus can be used to filter the applications by delegated or application permissions to help ensure that applications do not have more permissions than required. The checkboxes are available to highlight where privileged permissions have been granted.

Azure application registration

In this example, there is one application that has two associated certificates and different three secrets. While that is not prohibited, it is unusual and could be used as a backdoor or persistence mechanism. The dashboard also reports the lifespan associated with certificates and secrets. An unusually long life may indicate a backdoor as attackers would want their access to persist as long as possible. Identity Analyzer makes it possible to easily monitor and investigate these types of anomalies.

azure multiple certificates

Similarly, the Users dashboard provides insight into the Active Directory and subscription roles applied to each user. Pull down menus reveal every assigned role for the subscription and enable quick filtering of the supporting user list. Like before, checkboxes are available to highlight users with privileged permissions.

Azure AD users

The supporting list includes summary information for each user including status and authentication method. The sort option is available to quickly find outliers. In this example, there are two users without multi factor authentication enabled.

Azure MFA sort

Conclusion

Attacks that leveraged misconfigurations are on the rise. Falcon Horizon and Identity Analyzer provide the visibility and assessment needed to quickly identify potential exposures and take action to improve overall cloud security.

More resources

CrowdStrike Falcon Free Trial
 

Try CrowdStrike Free for 15 Days Get Started with A Free Trial