How to Navigate Falcon Discover

Falcon Discover was designed for security teams wanting to gain visibility and control over the computers and applications in their environment and be able to then take proactive action to improve their security posture. In this demo, we’ll be looking at three different scenarios where visibility is key to enabling better security. For the first scenario, we’ll inspect user accounts in the Account Monitoring section of Discover.

This section provides information on a number of accounts, types of accounts, and how long it’s been since they’ve last logged in, and which host they’re logged into. Many organizations find themselves in a situation where outside users need access to their network, either on a long-term or regular basis or maybe just temporarily. In this situation, the organization has created designated accounts and computers for an HVAC vendor who is temporarily working on-site.

To get a detailed view of what the user’s been up to, we’ll filter our user accounts to just the account we’d like to focus on. The filtered result highlights something that is unexpected. The last logged on host is a corporate PC, not the designated PC IT had provisioned.

We can look into this by clicking on any of the blue text. In this case, I’d like to see what the user’s been up to so I’ll click on the user. The user search window’s opened with all the recent activity.

The detail of interest here is at the top, where I can see that this user has been on two separate systems in the same day, one of which they shouldn’t have access to. At this point, I can inspect the other details– such as the process execution or files written– and see if there are other clues as to why this user would be on a corporate machine. From this point, I recognize that additional controls may need to be put into place and permissions double-checked to ensure that this has not or does not become a larger security issue.

Next we’ll look at the application inventory. Knowing what applications and what versions of those applications are in your organizations have large security and operational ramifications. At a high level, we can see that we have over 2,000 applications installed, but we have more than 300 applications with multiple versions.

This may be a security issue if some of those are older, unpatched versions with vulnerabilities. From an IT operations perspective, it is often necessary to identify the number of systems that have deployed software for licensing and billing purposes. A good example of this is Visio, where it has often installed the view files, but then never used. Since I don’t have Visio installed in my organization, we’ll search for instances of Photoshop.

The results indicate that we have five different application versions of Photoshop in our organization, but then none of them have been used in the last 30 days. From a billing perspective, this would be great to know. To inspect further, we can click on the applications to see that these versions are outdated and could probably just be removed. Application visibility reduces risk and saves costs, making this feature one of the most used of Falcon Discover.

Finally, Discover provides visibility to the assets in your organization. It’s easy to see the number of managed and unmanaged assets, but we also have visibility into servers and even unsupported assets. Any blue text allows you to pivot into that data for even greater visibility and detail. As we’ve seen, Falcon Discover enables IT hygiene by providing organizations with unprecedented visibility over the computers, applications, and accounts being used in their environment– improving their overall security posture and resulting in them being better prepared to repel attacks and stop a breach.