Back to Tech Center

How to Monitor Virtual Machine Security

June 11, 2021

CrowdStrike Tech Center

Introduction

CrowdStrike’s cloud security posture management solution, Falcon Horizon, monitors rapidly growing public cloud environments to help organizations proactively identify and resolve potential issues.

Video

Assessment Types

The main dashboard displays an overview of recent findings across all of the registered cloud accounts and providers. Shown on the left, the configuration assessment findings are based on policies that look at various, service specific settings. The behavioral assessment, on the right, focuses on changes or events that could indicate malicious activity.

CSPM VM Dashboard

Assessment Findings

For this environment, there is a high severity behavioral finding for one of the most commonly used Azure services, Virtual Machine.

CSPM VM assessment finding

Drilling down on the finding presents the details including the associated MITRE ATT&CK Tactic and Technique. While this view is automatically filtered for a single behavioral policy, menu options and filters are available to hone in on other details of the behavioral assessment or pivot using the Assessment menu at the top to view the configuration assessment findings.

CSPM VM policy finding

Clicking on the number of findings opens the IOA Event Timeline that provides a complete description and remediation plan for this indicator of attack. The user session details are outlined along with an event timeline summary. Behavioral findings are also assigned a confidence score to help establish urgency and prioritization.

CSPM VM IOA timeline

Virtual Machine Policies

The assessment findings are based on policies that CrowdStrike has developed for the different cloud services. Under the policies tab, there is a comprehensive list of supported services for each cloud provider. Specifically for Azure Virtual Machine, there are a number of configuration based policies to help organizations ensure proper security. Given the core functionality and wide spread use of this particular service, most of those are associated with a high severity level and various compliance guidelines. Links are available to relevant documentation where applicable.

CSPM VM config policies

CrowdStrike also goes beyond compliance specific policies, to deliver additional configuration insights such as virtual machines not being properly assigned a network security group.

CSPM VM Config sec group

To identify potentially malicious activity, behavioral policies are also available. 

CSPM VM behavoral

In some cases, there can be an association between the behavioral and configuration findings. Above, on the dashboard, there was a finding for a VM modification that allowed ingress from the public internet.

CSPM allows ingress

That change would later trigger a configuration finding for the “Virtual Machine allows inbound from internet on any port from any source” policy. Details such as a description and remediation steps, and alert logic are available for each policy.

CSPM VM allows

Conclusion

With the growth of cloud deployments and the risk of misconfiguration, it is imperative that companies continuously monitor their environments to minimize risk. Falcon Horizon provides granular policy assessment and visibility to help organizations quickly identify potential exposures and take action to improve overall cloud security.

More resources

Related Content

TRY CROWDSTRIKE FREE FOR 15 DAYS

GET STARTED WITH A FREE TRIAL