This article introduces Falcon Discover. Falcon Discover enables IT hygiene by providing organizations with unprecedented visibility over the computers, applications and accounts being used in their environment, improving their overall security posture and resulting in them being better prepared against to repel attacks and stop a breach.
Discover can return searches within seconds without impacting the user or the network. Because the Falcon Platform is cloud based, all the requisite data is in the cloud resulting in no-impact searches. Also the data is available for 90 days. This gives Discover to ability to report both historical and current information in near real-time.
To navigate to the app, click on the Discover icon on the left that looks like an eye.
Discover is organized into three different categories; Applications, Assets, and Accounts. There is also an overview or dashboard, with high level information that you can pivot into.
Detailed Dashboards for Easy Investigation
Complete Visibility – Lists all applications in use on a single endpoint and across all the endpoints in the environment. This enables security and IT teams to spot potentially malicious apps in the environment.
Application Search – Identify and search applications used on a particular host or by specific users.
Asset Inventory – Falcon Discover identifies which assets have the Falcon agent deployed. It enables security and IT ops to differentiate between managed, unmanaged, and unmanageable assets in your environment and take appropriate steps to improve overall security.
Account Monitoring – Falcon Discover enables security teams to monitor admin privileges and assess domain and local account password update timelines. It provides a view into logon time trends to identify unusual user behavior.
Falcon Discover continues to find ways to simplify security. With Discover, you get the following benefits:
- Real Time System Inventory
See a real-time view of all managed and unmanaged assets in the environment in a simple dashboard with drill-down options.
- Real Time Application Inventory
See a real-time view of all applications in the environment in a simple dashboard with drill-down options.
- Real Time Account Monitoring
- Identify Admin accounts and account usage trends – i.e. which hosts did the user log on to, average session length, session lengths on each host, hours that the user typically logged on, and type of registration (batch, remote)
- See local and domain accounts in depth including average PW change time, local users and password changes
- CrowdStrike 15-Day Free Trial
- CrowdStrike Tech Center
- Sign up for a weekly Falcon demo
- Request a 1:1 Demo
- Guide to AV Replacement
- CrowdStrike Products
- Falcon OverWatch
How to Navigate Falcon Discover
Falcon Discover was designed for security teams wanting to gain visibility and control over the computers and applications in their environment and be able to then take proactive action to improve their security posture. In this demo, we’ll be looking at three different scenarios where visibility is key to enabling better security. For the first scenario, we’ll inspect user accounts in the Account Monitoring section of Discover.
This section provides information on a number of accounts, types of accounts, and how long it’s been since they’ve last logged in, and which host they’re logged into. Many organizations find themselves in a situation where outside users need access to their network, either on a long-term or regular basis or maybe just temporarily. In this situation, the organization has created designated accounts and computers for an HVAC vendor who is temporarily working on-site.
To get a detailed view of what the user’s been up to, we’ll filter our user accounts to just the account we’d like to focus on. The filtered result highlights something that is unexpected. The last logged on host is a corporate PC, not the designated PC IT had provisioned.
We can look into this by clicking on any of the blue text. In this case, I’d like to see what the user’s been up to so I’ll click on the user. The user search window’s opened with all the recent activity.
The detail of interest here is at the top, where I can see that this user has been on two separate systems in the same day, one of which they shouldn’t have access to. At this point, I can inspect the other details– such as the process execution or files written– and see if there are other clues as to why this user would be on a corporate machine. From this point, I recognize that additional controls may need to be put into place and permissions double-checked to ensure that this has not or does not become a larger security issue.
Next we’ll look at the application inventory. Knowing what applications and what versions of those applications are in your organizations have large security and operational ramifications. At a high level, we can see that we have over 2,000 applications installed, but we have more than 300 applications with multiple versions.
This may be a security issue if some of those are older, unpatched versions with vulnerabilities. From an IT operations perspective, it is often necessary to identify the number of systems that have deployed software for licensing and billing purposes. A good example of this is Visio, where it has often installed the view files, but then never used. Since I don’t have Visio installed in my organization, we’ll search for instances of Photoshop.
The results indicate that we have five different application versions of Photoshop in our organization, but then none of them have been used in the last 30 days. From a billing perspective, this would be great to know. To inspect further, we can click on the applications to see that these versions are outdated and could probably just be removed. Application visibility reduces risk and saves costs, making this feature one of the most used of Falcon Discover.
Finally, Discover provides visibility to the assets in your organization. It’s easy to see the number of managed and unmanaged assets, but we also have visibility into servers and even unsupported assets. Any blue text allows you to pivot into that data for even greater visibility and detail. As we’ve seen, Falcon Discover enables IT hygiene by providing organizations with unprecedented visibility over the computers, applications, and accounts being used in their environment– improving their overall security posture and resulting in them being better prepared to repel attacks and stop a breach.