How to Navigate Falcon Discover
Falcon Discover enables IT hygiene by providing organizations with robust visibility over the computers, applications and accounts being used in their environment. That visibility helps prepare companies against attacks, improve the overall security posture and prevent breaches.
Navigating Falcon Discover
Because the Falcon Platform is cloud based, Falcon Discover can return searches within seconds without impacting the user or the network. With 90 days of historical data, Falcon Discover has the ability to report both historical and current information in near real-time.
The Discover menu options are available from the main Falcon menu.
The main dashboard provides a high level overview with clickable charts to drill down into the supporting details.
Falcon Discover offers two main dashboards specific to applications. The Application Usage dashboard reveals a detailed list of applications that have recently run in the environment including details such as vendor, application, version, and file name. The data can be filtered on attributes like vendor and file name to identify potential issues around version control and licensing. There are also options to search used applications based on a specific user or host.
From the top menu, there is also an option to report on all installed applications. Filtering this list by operating system yields a more focused view of the application information.
Falcon Discover enables security teams to differentiate assets in the environment and take appropriate steps to improve overall security. The Asset Inventory dashboard includes a breakdown of active devices by OS and type with additional charts to illustrate management status and hardware model. Statistics on unmanaged devices and unsupported devices can be used to target agent deployment or track down out of service devices, end of life operating systems and unauthorized usage of devices outside the corporate standards.
Falcon Discover also provides visibility into the user accounts being leveraged. The Account Monitoring dashboard reflects an overview of the number of domain and local accounts in the environment. It also illustrates when the account passwords were last reset – helping to identify and address areas of concern around password management.
Beyond applications, assets and accounts, Falcon Discover provides insights into many other important device metrics including these two examples.
The Drive Encryption dashboard reports on the status of each host’s built in OS encryption broken down by form factor.
Also, the System Resources dashboard includes information about the processors, cores, and memory for managed systems. Like other dashboards, filters are available to focus based on attributes like operating system, organization unit and domain.
Falcon Discover enables IT hygiene by providing organizations with robust visibility over the computers, applications and accounts being used throughout the environment. With CrowdStrike, organizations can identify issues and address areas of weakness to minimize risk and stop breaches.
How to Navigate Falcon Discover
Falcon Discover was designed for security teams wanting to gain visibility and control over the computers and applications in their environment and be able to then take proactive action to improve their security posture. In this demo, we’ll be looking at three different scenarios where visibility is key to enabling better security. For the first scenario, we’ll inspect user accounts in the Account Monitoring section of Discover.
This section provides information on a number of accounts, types of accounts, and how long it’s been since they’ve last logged in, and which host they’re logged into. Many organizations find themselves in a situation where outside users need access to their network, either on a long-term or regular basis or maybe just temporarily. In this situation, the organization has created designated accounts and computers for an HVAC vendor who is temporarily working on-site.
To get a detailed view of what the user’s been up to, we’ll filter our user accounts to just the account we’d like to focus on. The filtered result highlights something that is unexpected. The last logged on host is a corporate PC, not the designated PC IT had provisioned.
We can look into this by clicking on any of the blue text. In this case, I’d like to see what the user’s been up to so I’ll click on the user. The user search window’s opened with all the recent activity.
The detail of interest here is at the top, where I can see that this user has been on two separate systems in the same day, one of which they shouldn’t have access to. At this point, I can inspect the other details– such as the process execution or files written– and see if there are other clues as to why this user would be on a corporate machine. From this point, I recognize that additional controls may need to be put into place and permissions double-checked to ensure that this has not or does not become a larger security issue.
Next we’ll look at the application inventory. Knowing what applications and what versions of those applications are in your organizations have large security and operational ramifications. At a high level, we can see that we have over 2,000 applications installed, but we have more than 300 applications with multiple versions.
This may be a security issue if some of those are older, unpatched versions with vulnerabilities. From an IT operations perspective, it is often necessary to identify the number of systems that have deployed software for licensing and billing purposes. A good example of this is Visio, where it has often installed the view files, but then never used. Since I don’t have Visio installed in my organization, we’ll search for instances of Photoshop.
The results indicate that we have five different application versions of Photoshop in our organization, but then none of them have been used in the last 30 days. From a billing perspective, this would be great to know. To inspect further, we can click on the applications to see that these versions are outdated and could probably just be removed. Application visibility reduces risk and saves costs, making this feature one of the most used of Falcon Discover.
Finally, Discover provides visibility to the assets in your organization. It’s easy to see the number of managed and unmanaged assets, but we also have visibility into servers and even unsupported assets. Any blue text allows you to pivot into that data for even greater visibility and detail. As we’ve seen, Falcon Discover enables IT hygiene by providing organizations with unprecedented visibility over the computers, applications, and accounts being used in their environment– improving their overall security posture and resulting in them being better prepared to repel attacks and stop a breach.