CrowdStrike Solutions

CROWDSTRIKE FALCON
IDENTITY PROTECTION
MODULES
Active Directory (AD) security for your
Zero Trust architecture

Zero Trust is a security framework that requires all users, whether

inside or outside an organization’s network, to be authenticated,
KEY HIGHLIGHTS
authorized and continuously validated for security configuration
and posture before being granted access or keeping access to
applications and data. Two Falcon identity protection solutions are
available:
Whether you’re already adopting single sign-on (SSO) and
multifactor authentication (MFA), or still working on how to transfer
more applications to the cloud, CrowdStrike Falcon® Identity Falcon Identity Threat Detection (ITD): Serves as
Protection solutions can offer the information and assistance you the first level of detection for AD security, providing
need to pass audits and succeed in security tests. identity risk analysis and detecting threats to the
authentication system and credentials as they
Two Falcon products are offered for identity protection to fit your happen
Active Directory (AD) security use cases for either identification/
detection-only or active prevention of identity attacks: Falcon
Falcon Zero Trust (ZT): Enables frictionless Zero
Identity Threat Detection and Falcon Zero Trust.
Trust security with real-time threat prevention and
IT policy enforcement using identity, behavioral, and
risk analytics that combine with nearly any MFA/
SSO provider to challenge threats in real time
 CrowdStrike Solutions

CROWDSTRIKE FALCON IDENTITY PROTECTION MODULES

FALCON IDENTITY THREAT DETECTION (ITD):

AD SECURITY ALERTS
CrowdStrike Falcon Identity Threat Detection (ITD) represents the first level of detection for AD
security. Falcon ITD provides visibility for identity-based attacks and anomalies, comparing live traffic
against behavior baselines and rules to detect attacks and lateral movement. It provides real-time
Active Directory security alerts on rogue users and sideways credential movement within the network
or cloud.

Falcon ITD enables you to:

See all organizational service accounts, privileged users and user credentials
Add the context of “who” to network attack discovery and investigation, with behavioral analysis for
each credential
Track every authentication transaction, and alert when the risk is elevated (e.g., accessing new
systems or being granted additional privileges), or if the traffic is abnormal (varies from normal
patterns of the user behavior)
Expand understanding for both architecture and security teams by combining context of
authentication-level events with recommended best practices for network security

Seeing user authentication activity everywhere, from local legacy apps to your cloud environment
stack, is the first step toward effectively managing AD security for identity and access.

FALCON ZERO TRUST (ZT):

FRICTIONLESS CONDITIONAL ACCESS
CrowdStrike Falcon Zero Trust (ZT) enables frictionless Zero Trust security with real-time threat
prevention and IT policy enforcement using identity, behavioral and risk analytics.

With a nebulous enterprise perimeter, internal applications that were previously considered secure for
authenticated users are now open to access from compromised systems and compromised users.

Falcon ZT:

Provides unified visibility and control of access to applications, resources and identity stores in
hybrid environments
Improves alert fidelity and reduces noise by recognizing and auto-resolving genuine access
incidents through identity verification
Enforces consistent risk-based policies across cloud and legacy systems to enable Zero Trust
architecture with zero friction — actions include block, allow, audit and step-up using MFA
Saves overhead of log storage costs by storing only relevant authentication logs

More mature security operations may be looking for controls for a hybrid environment in real time, in
a way that prevents user fatigue and simultaneously secures service and privileged accounts. Falcon
Zero Trust provides that level of control without sacrificing end-user MFA fatigue by providing risk-
based adaptive authentication.
 CrowdStrike Solutions

CROWDSTRIKE FALCON IDENTITY PROTECTION MODULES

FEATURE COMPARISON: FALCON IDENTITY THREAT

DETECTION VS. FALCON ZERO TRUST
Feature Falcon ITD Falcon ZT

Microsoft AD accounts analysis Yes Yes

Azure AD accounts analysis Yes Yes

Insights and analytics Yes Yes

Security assessment Yes Yes

Detection of AD security incidents Yes Yes

Deep packet inspection of live traffic Yes Yes

Real-time threat detection for authentication and authorization access requests Yes Yes

Real-time cloud activity visibility, baselining and monitoring for federated access
Yes Yes
via AD FS and Okta or PingFederate

Near real-time cloud activity visibility, baselining and monitoring using events
Yes Yes
analysis from Okta, Azure AD and Ping

Policy creation for monitoring or enforcement No Yes

Real-time cloud activity enforcement (e.g., block, MFA) No Yes

Real-time enforcement and secured access to Microsoft AD (e.g., block, MFA) No Yes

Custom threat detection — create real-time alerts from policy rules No Yes

Partly — includes
report for incidents,
Reports (including custom) Yes
activity and Threat
Hunter (custom)

Threat hunting Yes Yes

Yes — to SIEM or All, plus SSO and

API support
SOAR tools MFA tools

Email integration to report events Yes Yes

Technical support Yes Yes

Because 80% of breaches involve compromised credentials, Falcon identity protection

products advance your Zero Trust architecture by segmenting identities and automating
analysis and enforcement of AD security.

Improved security posture with extended MFA: Extend identity verification/MFA tools
to any resource or application, including legacy/proprietary systems and legacy systems
traditionally not integrated with MFA — such as desktops, tools like PowerShell, and protocols
like RDP over NTLM — to reduce the attack surface.

Improved security posture and significantly reduced attack surface by extending MFA:
Extend identity verification/MFA tools to any resource or application, including legacy
systems like desktops, tools Ike PowerShell, and protocols like RDP over NTLM.
 CrowdStrike Solutions

CROWDSTRIKE FALCON IDENTITY PROTECTION MODULES

Both solutions provide Active Directory Both solutions provide visibility to “rogue
attack detections: credential” or behavior anomalies:

Account enumeration reconnaissance Access from a forbidden country

(BloodHound, Kerberoasting) Adding a user to a privileged group ABOUT
Bronze Bit (CVE-2020-17049) Anomalous DCE/RPC CROWDSTRIKE
Brute force attacks (LDAP simple bind, Bronze Bit (CVE-2020-17049)
NTLM, Kerberos)
Custom threat detection using policy
Credential scanning (on-premises) rules CrowdStrike, a
Cloud-based (Azure AD) brute-force/ Excessive access (servers) global cybersecurity
credentials scanning leader, is redefining
Excessive access (services)
DCSync — Active Directory replication
security for the cloud
Excessive access (workstations) era with an endpoint
DCShadow protection platform
Hidden object detected
Forged PAC for privilege escalation built from the ground
Identity verification denied
(Bulletin MS-14-068) up to stop breaches.
Identity verification timeout The CrowdStrike
Golden Ticket
Service account misuse Falcon® platform’s
Hidden object detected single lightweight-
Suspicious VPN connections — unusual
NTLM Relay Attack (including MS agent architecture
user geolocation
Exchange) leverages cloud-scale
Unusual access to a server artificial intelligence
Overpass-the-Hash (Multiple methods -
Unusual access to a service (AI) and offers real-time
Mimikatz, CrackMapExec)
protection and visibility
Pass-the-Hash (Impacket, Unusual protocol implementation
across the enterprise,
CrackMapExec, Metasploit) Usage of IP with a bad reputation preventing attacks on
Pass-the-Ticket Use of stale endpoint endpoints on or off the
network. Powered by the
Possible exploitation attempt (CredSSP)
proprietary CrowdStrike
CVE-2018-0886 Threat Graph®,
Remote execution attempts CrowdStrike Falcon
Skeleton Key and Mimikatz Skeleton Key correlates over 5 trillion
endpoint-related events
Suspected NTLM authentication per week in real time from
tampering (CVE-2019-1040) across the globe, fueling
ZeroLogin (CVE-2020-1472) one of the world’s most
advanced data platforms
for security.
Whether you need to identify potentially malicious identity traffic or you’re ready to challenge
it and create Zero Trust conditional access, CrowdStrike has the right product for you.

Schedule a Demo

Learn more www.crowdstrike.com

© 2021 CrowdStrike, Inc. All rights reserved.