CROWDSTRIKE FALCON IDENTITY

PROTECTION
 ENDPOINT CLOUD MANAGED SECURITY & THREAT IDENTITY LOG CROWDSTRIKE
SECURITY SECURITY SERVICES IT OPERATIONS INTELLIGENCE PROTECTION MANAGEMENT STORE

FALCON FUSION
CROWDSTRIKE THREAT GRAPH HUMIO DB
LIGHTWEIGHT AGENT

Cloud Mobile

©2022
©2021
CROWDSTRIKE
 KEYS TO YOUR ENTERPRISE

©2022 CROWDSTRIKE, INC. ALL RIGHTS RESERVED.

 Modern Attacks
Ransomware, supply chain…

80% of data breaches have a connection

to compromised privileged credentials
- Forrester Research
FOCUS ON 80%
Breaches from stolen/compromised OF THE PROBLEM
credentials took the longest to To stop modern attacks
detect (250 days!)
- Cost of a Breach Report, 2021

©2022 CROWDSTRIKE, INC. ALL RIGHTS RESERVED.

 INTRUSION TRENDS IN 2021

©2022 CROWDSTRIKE, INC. ALL RIGHTS RESERVED.

 THREAT ACTORS AREN’T ALWAYS STARTING FROM HERE

Initial • TA0001
Access

Discovery • TA0007

Privilege • TA0004
Escalation

Credential • TA0006
Access

Lateral • TA0008
Movement

Impact • TA0040

©2022 CROWDSTRIKE, INC. ALL RIGHTS RESERVED.

 OFTEN, THEY ARE STARTING HERE

Initial • TA0001
Access

Discovery • TA0007

Privilege • TA0004
Escalation

Credential • TA0006
Access

Lateral • TA0008
Movement

Impact • TA0040

©2022 CROWDSTRIKE, INC. ALL RIGHTS RESERVED.

 OFTEN, THEY ARE STARTING HERE

Initial • TA0001
Access

Discovery • TA0007

Execution
Privilege • TA0004
Escalation

Credential • TA0006
Access

Lateral
Identity Movement
• TA0008

Impact • TA0040

©2022 CROWDSTRIKE, INC. ALL RIGHTS RESERVED.

 FALCON IDENTITY PROTECTION
PROTECT PREVENT ENABLE

See like the Detect and Verify only

adversary; block, in real- when the risk
attack path time identity changes;
visibility specific frictionless
threats; conditional
dynamic policy access
©2022 CROWDSTRIKE, INC. ALL RIGHTS RESERVED.
 FALCON IDENTITY PROTECTION
PROTECT PREVENT ENABLE

Reduce Identity Store Detect AND Prevent MFA Everywhere

Attack Surface
▪ Visibility into AD/Azure
AD, hybrid identity stores
▪ Auto-classify all identities
▪ Get identity store attack
path visibility
▪ Enable identity
segmentation
©2022 CROWDSTRIKE, INC. ALL RIGHTS RESERVED.
ID Threats ▪ Enable risk-based MFA
▪ Detect & respond to ID and improve UX
specific threats – hybrid ▪ Extend MFA protection to
directories, multi-vendor legacy apps/tools
SSO
▪ Digest ZTA risk score to
▪ Create simple, dynamic key in device risk posture
policies that adapt to the
attack path
▪ Defend your AD/Azure AD
from modern attacks
 REFERENCE ARCHITECTURE
Integration
API
Security s
Federation
Streaming API
(SIEM Connector)
Cloud MFA Providers

Email API IDaaS

Gateway

Port 443

Falcon Sensor
Falcon Sensor

MFA UI

Domain Controller(s) Workstation/server

©2022 CROWDSTRIKE, INC. ALL RIGHTS RESERVED.
 Additional Slides
EndPoint + Identity
Better Together

©2022 CROWDSTRIKE, INC. ALL RIGHTS RESERVED.

 Privilege Defense Credential Lateral Command and
Actor Class Initial Access Execution Persistence Discovery Collection Exfiltration Impact
Escalation Evasion Access Movement Control
System Exfiltration
Command and OS Credential Remote Archive Ingress Tool
Identity

eCrime Valid Accounts Valid Accounts Valid Accounts Valid Accounts Owner/User Over Alternative Service Stop
Scripting Dumping Services Collected Data Transver
Discovery Protocol
System Exfiltration
Command and OS Credential Remote Archive Ingress Tool
Targeted Valid Accounts Valid Accounts Valid Accounts Valid Accounts Owner/User Over Alternative Service Stop
Scripting Dumping Services Collected Data Transver
Discovery Protocol

Privilege Defense Credential Lateral Command and

Actor Class Initial Access Execution Persistence Discovery Collection Exfiltration Impact
Escalation Evasion Access Movement Control
Endpoint

System Exfiltration
Command and OS Credential Remote Archive Ingress Tool
eCrime Valid Accounts Valid Accounts Valid Accounts Valid Accounts Owner/User Over Alternative Service Stop
Scripting Dumping Services Collected Data Transver
Discovery Protocol
System Exfiltration
Command and OS Credential Remote Archive Ingress Tool
Targeted Valid Accounts Valid Accounts Valid Accounts Valid Accounts Owner/User Over Alternative Service Stop
Scripting Dumping Services Collected Data Transver
Discovery Protocol
Identity + Endpoint

Privilege Lateral Command and

Actor Class Initial Access Execution Persistence Defense Evasion Credential Access Discovery Collection Exfiltration Impact
Escalation Movement Control
System Exfiltration Over
Command and OS Credential Archive Collected Ingress Tool
eCrime Valid Accounts Valid Accounts Valid Accounts Valid Accounts Owner/User Remote Services Alternative Service Stop
Scripting Dumping Data Transver
Discovery Protocol

System Exfiltration Over

Command and OS Credential Archive Collected Ingress Tool
Targeted Valid Accounts Valid Accounts Valid Accounts Valid Accounts Owner/User Remote Services Alternative Service Stop
Scripting Dumping Data Transver
Discovery Protocol

©2022 CROWDSTRIKE, INC. ALL RIGHTS RESERVED.

 FALCON IDENTITY + ENDPOINT PROTECTION
BETTER TOGETHER

❏ Improves your protection at the endpoint and identity level in a single

solution
❏ Reduces the attack surface to help prevent lateral movement across your
network
❏ Correlates security events across endpoints and identity to provide
realtime, actionable insights

©2022 CROWDSTRIKE, INC. ALL RIGHTS RESERVED.

 FALCON PRODUCT BUNDLES

FALCON PRO FALCON ENTERPRISE FALCON ELITE FALCON COMPLETE

Next Gen Antivirus Next Gen Antivirus Next Gen Antivirus Falcon Endpoint Protection
Remote Response Endpoint Detection & Response Endpoint Detection & Response Delivered as a Service
Integrated Threat Intel Integrated Threat Intel Integrated Threat Intel Breach Prevention Warranty
Device Control Managed Threat Hunting Managed Threat Hunting
Firewall Management Device Control Identity Protection
Firewall Management Device Control
Firewall Management
IT Hygiene
©2022 CROWDSTRIKE, INC. ALL RIGHTS RESERVED.
 FALCON ENDPOINT AND IDENTITY PROTECTION ELITE

Next Generation
Integrated Threat Antivirus & Endpoint
Intelligence & IT Hygiene Detection and Response BUSINESS VALUE
Protection that unifies
NGAV, EDR, Identity and IT
Hygiene
Enable threat hunting and
real time visibility

Expanded visibility & control

Speed investigation
and response
Managed Threat Real Time Identity Discover unprotected
Hunting Protection systems, risky applications
and users

©2022 CROWDSTRIKE, INC. ALL RIGHTS RESERVED.

 FALCON ENDPOINT AND IDENTITY PROTECTION ELITE
FEATURES AND CAPABILITIES
MANAGED
VISIBILITY & EDR
THREAT HUNTING
▪ Continuous monitoring ▪ 24/7 managed threat hunting
▪ Raw event capture ▪ Expert threat hunters
▪ 5 seconds searches ▪ Identify emerging threats
▪ Real-time response ▪ In-app and email notifications
▪ Complete visibility
Context and attribution
▪ USB device visibility
INTEGRATED
▪ Firewall visibility INTELLIGENCE
▪ Asset, application, and
account visibility ▪ Automatic malware analysis
▪ Automatic attribution
▪ Automatic IOC generation
PREVENTION

▪ Machine learning Identity Protection

▪ IOAs behavioral prevention
▪ Exploit blocking
▪ Custom hash blocking
▪ Protection on and off the network
▪ USB device control
▪ Firewall configuration management
©2022 CROWDSTRIKE, INC. ALL RIGHTS RESERVED.
▪ Hybrid identity landscape visibility
▪ Auto-classify Identity enterprise wide
▪ Real-time detection of lateral movement
and anomalous authentication
▪ Enables proactive identity based threat
hunting
 FALCON IDENTITY PROTECTION

BUSINESS VALUE
Stop identity-based attacks
Detection of Identity based in real-time
Identity-based Segmentation
attacks Provide deep visibility into
hybrid identity landscape

Reduced time to remediation

Tigger MFA for risky behavior

Frictionless MFA
Adoption Proactive API to MFA/SSO, SIEM,SOC,
Identity Threat SOAR architecture
Hunting

©2022 CROWDSTRIKE, INC. ALL RIGHTS RESERVED.

Additional Slides
Falcon Complete with
Identity Threat Protection
 FALCON IDENTITY THREAT PROTECTION COMPLETE
Managed Identity Threat Protection

❏ First and only fully-managed Identity Protection solution

❏ Powered by CrowdStrike's team of experts

Additional Benefits
❏ Expertise to prevent identity-based attacks
❏ Surgical response to identity-based threats in minutes
❏ Backed by Breach Prevention Warranty

©2022 CROWDSTRIKE, INC. ALL RIGHTS RESERVED.

 FALCON
COMPLETE
MANAGED DETECTION AND RESPONSE

ENDPOINT CLOUD IDENTITY

BACKED BY INDUSTRY’S STRONGEST
BREACH PREVENTION
WARRANTY

©2022 CROWDSTRIKE, INC. ALL RIGHTS RESERVED.

 FALCON COMPLETE STOPS BREACHES WITH
PLATFORM, INTELLIGENCE, AND EXPERTISE

COMPREHENSIVE PLATFORM UNIQUE EXPERTISE & INTEL

FALCON FALCON FALCON

DISCOVER INSIGHT OVERWATCH 24/7
IT HYGIENE EDR HUNTERS
UNDERSTAND RECORD AND ANALYZE
CUSTOMER ASSETS AND RISK ENDPOINT TELEMETRY
FALCON
COMPLETE TEAM
FALCON IDENTITY 24/7 RESPONDERS
FALCON PREVENT
NGAV THREAT PROTECTION
ITP
BLOCK HUNT AND RESPOND
99% OF TRADECRAFT PROTECT AND ENFORCE CROWDSTRIKE PEOPLE AND PROCESS
IDENTITIES AND IDENTITY STORES

©2022 CROWDSTRIKE, INC. ALL RIGHTS RESERVED.

 IDENTITY THREAT DETECTION AND RESPONSE IS CRUCIAL

Stolen
Creds

80% Legacy
IDENTITY THREAT
PROTECTION
of data breaches have a connection to Systems
compromised privileged credentials Proactive
- Forrester Research CONTROL
Contractors &
Supply Chain Continuous
Breaches from stolen/compromised
credentials took the longest to detect:
VISIBILITY
250 days Unmanaged
Systems
Real Time

- Cost of a Breach Report, 2021 RESPONSE

Service
Accounts

©2022 CROWDSTRIKE, INC. ALL RIGHTS RESERVED.

 WHY FALCON
IDENTITY THREAT
STOP SHRINK ATTACK
PROTECTION IDENTITYDRIVEN SURFACE
ATTACKS Reduce threat from
COMPLETE? Credential theft and abuse
are at the core of modern
unmanaged systems and
other blond spots
threats

GAIN IMMEDIATE PROVEN

VALUE OUTCOMES
CrowdStrike experts Proactive control,
accelerate deployment continuous visibility,
near real-time response

©2022 CROWDSTRIKE, INC. ALL RIGHTS RESERVED.

 A TALE OF TWO OUTCOMES: WITHOUT IDENTITY THREAT PROTECTION
Phishing exploit
Adversary obtains Lateral movement Lateral movement PowerShell recon script
admin creds Persistence Persistence REvil ransomware staged
Domain AD database dumped
Server 1 Server 2 Server 3 Controller Data staged for exfil

IT Contractor

Friday Saturday Monday Monday Monday

4 PM 3 AM 9 AM 10 AM 1 PM

Adversary

Host network contained Host network contained Ransomware blocked Admin account
Persistence removed. Persistence removed. RECOMMENDATION: locked by IT Ops
RECOMMENDATION: RECOMMENDATION: Reset admin password
Reset admin password Reset admin password

©2022 CROWDSTRIKE, INC. ALL RIGHTS RESERVED.

 A TALE OF TWO OUTCOMES: WITH IDENTITY THREAT PROTECTION
Phishing exploit
Adversary obtains Lateral movement
admin creds Persistence

Server 1
Intrusion contained and remediated
within minutes
IT Contractor

Friday Saturday Zero intervention by IT staff

4 PM 3 AM

Adversary
Zero disruption to business processes or
users
Host network contained
Persistence removed
Admin account BLOCKED
RECOMMENDATION: Reset
admin password

©2022 CROWDSTRIKE, INC. ALL RIGHTS RESERVED.

Additional Slides
CrowdStrike
Zero Trust Solution
 ADVANCING SECURITY MEASURES TO REDUCE RISKS

Apps everywhere,
work anywhere

Nation-state actors

Ransomware, supply
chain threats

Insider threats

©2022 CROWDSTRIKE, INC. ALL RIGHTS RESERVED.

 What factors play a key role in
choosing your Zero Trust solution? 1

76% Ease of deployment

71%
Ease of use
71%
Security coverage
(less friction for users)

1July ‘21 CrowdStrike Survey

©2022 CROWDSTRIKE, INC. ALL RIGHTS RESERVED.
 REQUIRED CAPABILITIES FOR CLOUD FIRST, WORK ANYWHERE
Based on the NIST 800-207 framework

PEOPLE WORKLOADS
▪ Behavioral data
▪ Segmentation & least access
▪ Security automation {tied to
AUTOMATION &
ORCHESTRATION DATA VISIBILITY

context}
▪ Continuous verification
NETWORKS DEVICES

©2022 CROWDSTRIKE, INC. ALL RIGHTS RESERVED.

 CLOUD-NATIVE, SINGLE AGENT ARCHITECTURE
Easy Deployment
Security Cloud

Requestor Data

Public and
Endpoint
Private Cloud
Identity
Workload Data Center
 CONTINUALLY VERIFY + BEHAVIORAL DATA + SEGMENTATION
Frictionless User Experience
Security Cloud

Requestor Data

CHALLENGE/
BLOCK
ALLOW Public and
Endpoint
Private Cloud
Identity
Workload Data Center

API
 Automate Context and Integrate With Existing Tools
Increase Security Coverage/Save Cost
Security Cloud

Requestor Data

CHALLENGE/
BLOCK
ALLOW Public and
Endpoint
Private Cloud
Identity
Workload Data Center

API
CONTEXT & CONTROL RISK SCORE

SSO, AD, AZURE AD, SIEM, Identity Providers, CASB, Secure Access
SOAR
 WHY CROWDSTRIKE?

1. World’s largest unified, threat-

centric data fabric
2. World-class AI for Hyper-accurate
detections & automated protection
3. Cloud-native for rapid deployment,
scalability and reduced complexity
©2022 CROWDSTRIKE, INC. ALL RIGHTS RESERVED.
IN A NUTSHELL…

MAXIMUM SECURITY
COVERAGE
+
REDUCE COMPLEXITY AND
COST
Additional Slides
Modern Attacks
 MODERN ATTACKS: THE TWO PART PROBLEM

▪ Modern attacks like ransomware,

Log4j, noPac consist of two parts:
▪ Code execution
i
m ▪ Identity access
Code p Identity
a ▪ Adversary executes code on a
Execution c
Access single system (foothold)
t
▪ Adversary leverages credentials to
access and execute code on
multiple systems (lateral
movement)
©2022 CROWDSTRIKE, INC. ALL RIGHTS RESERVED.
 MODERN ATTACK PROGRESSION

Initial
Access

Discovery

Credential Obtain credentials (PasswordSpray) and

Access connect to domain joined machine

Privilege Elevate privilege (PtH) and add user account

Escalation to Domain Admins

Lateral Leverage user account to move laterally

Movement Use privileged account to move laterally

Impact Exfil/encrypt data

©2022 CROWDSTRIKE, INC. ALL RIGHTS RESERVED.

 NOPAC

CVE-2021-42278 and CVE-2021-42287

▪ Patches released November 2021.

▪ Microsoft have patches available for all versions of Windows Server later than 2008.
▪ Enables privilege escalation to domain admin, with the adversary requiring only a
standard user account.

©2022 CROWDSTRIKE, INC. ALL RIGHTS RESERVED.

 Initial Access

Create New
Computer
Account

Rename to DC
name (without
$)

Request TGT
for original
16 seconds computer
name.

Request TGS
for service
running on the
DC.

Complete
Domain
Compromise

©2022 CROWDSTRIKE, INC. ALL RIGHTS RESERVED.

 How does Identity Protection detect and prevent
the attack?
Initial Access

Create new
computer
account with
Event Detection
random name.

Rename to
match any DC. Event Detection

Authorize new
16 seconds computer
account
Event Detection

Request
privileged
access to the MFA Challenge
DC.

Complete
Domain
Compromise PREVENTED
©2022 CROWDSTRIKE, INC. ALL RIGHTS RESERVED.
 LOG4J ATTACK

▪ Environment without Falcon Platform or Falcon Zero Trust installed is the target of
skilled adversary
▪ Attacker has credentials, but has been otherwise locked out of target environment due
to perimeter defenses
▪ Attacker leverages Log4j exploit to place a web shell on vulnerable system in target
environment to break perimeter
▪ Attacker interacts with web shell and uses credentials to RDP, unchallenged, to
Exchange server
▪ Attacker dumps credential store on server
▪ Complete Domain Compromise

©2022 CROWDSTRIKE, INC. ALL RIGHTS RESERVED.

 Log4j Exploit
Drops Web • Initial Access
Shell

Adversary
• Command
Interacts with and Control
Web Shell

Adversary
• Valid
Uses Accounts
Credentials

Adversary RDP
• Lateral
to Exchange Movement
Server

Adversary
Drops • Ingress Tool
Credential Transfer
Theft Tool

Adversary
• Credential
Dumps Identity Access
Store

©2022 CROWDSTRIKE, INC. ALL RIGHTS RESERVED.

 Execution
Log4j Exploit Identity
Drops Web
Shell
• Initial Access
Both

~24 hours
Adversary
• Command
Interacts with and Control
Web Shell

Adversary Uses • Valid

Credentials Accounts

Adversary RDP
• Lateral
to Exchange Movement
Server
7 minutes
Adversary
Drops • Ingress Tool
Credential Transfer
Theft Tool

Adversary
• Credential
Dumps
Access
Identity Store

©2022 CROWDSTRIKE, INC. ALL RIGHTS RESERVED.

 Execution
Log4j Exploit Identity
Drops Web
Shell
• Initial Access
Both

Adversary
• Command
Interacts with and Control
Web Shell

Adversary Uses • Valid

Credentials Accounts

Compromised Login Attempt ‘Deny’ Using

Credential Using RDP MFA
Adversary RDP
• Lateral
to Exchange Movement
Server

Adversary
Drops • Ingress Tool
Credential Transfer
Theft Tool

Adversary
• Credential
Dumps
Access
Identity Store

©2022 CROWDSTRIKE, INC. ALL RIGHTS RESERVED.

 STOPPING MODERN ATTACKS

- User identity, behavior and risks

- Real time identity threat detection and protection
- Stop attack progression
- Zero day
- Unpatched

©2022 CROWDSTRIKE, INC. ALL RIGHTS RESERVED.

 RANSOMWARE – THE KEY DRIVER FOR CYBER INSURANCE

66% of organizations suffered at least

one ransomware attack in 2021- CrowdStrike
Global Security Attitude Survey Credential compromise
was the most common
62% year-over-year increase in attack vector
ransomware complaints in 1H of 2021 - Cyber - 2021 Cost of a Data Breach

& Infrastructure Security Agency

 CYBER INSURANCE – ESSENTIAL COVERAGE AREAS

- Virus/malware threats The common denominator?

- Social engineering attacks IDENTITIES!
- Phishing emails - Infiltrate
- Identity theft
- Move laterally
- RANSOMWARE
- Encrypt/exfiltrate

©2022 CROWDSTRIKE, INC. ALL RIGHTS RESERVED.

 WHY CROWDSTRIKE?

- Auto-classification and privilege assessment of ALL identities

- Attack surface reduction with identity segmentation
- Dynamic risk scoring for EVERY account
- Risk-based conditional access for ALL identities
- Extend risk-based MFA, everywhere
- Rapid deployment and scalability
- Real time risk and security posture assessment

©2022 CROWDSTRIKE, INC. ALL RIGHTS RESERVED.

 TRADITIONAL PAM VS CROWDSTRIKE
Function Traditional PAM
ID store visibility Limited to privileged accounts
Risk posture Incomplete or limited to privileged
assessment accounts
Deployment Requires careful planning – jump
servers, session brokers, and many
more.
User experience (UX) High user friction (password
vaulting, session brokers)
Behavior, deviations Limited – to only privileged accounts
monitoring
CrowdStrike
ALL accounts across AD, Azure AD directories
ALL – human, service, privileged identities
Rapid deployment and scalability with cloud-
delivered, single lightweight agent-architecture
Frictionless MFA/conditional access - based on
dynamic risk
ALL accounts

Misuse of valid Not available Full visibility – detection and prevention

credentials
Attack path visibility Limited Full visibility into lifecycle of an attack across
and attack prevention reconnaissance, lateral movement and persistence
with real-time prevention of identity incidents

©2022 CROWDSTRIKE, INC. ALL RIGHTS RESERVED.