How to Stop Lateral Movement in On-Prem Apps with CrowdStrike + Beyond Identity

TLDR

‍

Transcript

[0:00 - 0:33] Kasia Kumor:  All right. Hello, everybody. Welcome to another rendition of Beyond Identities webinars. Today, we are talking about how to stop lateral movement in on-prem applications. We know that they're more difficult to secure than cloud apps that have a lot of modern identity defense systems. So this is going to go on about how to extend modern identity security to legacy protocols, specifically with CrowdStrike's new ITDR and Beyond Identity. So first we'll get into a round of introductions and then go straight into the meat of it.

[0:34 - 0:40] Kasia Kumor:  So hello, I'm Kasia, I'm a product marketing lead at Beyond Identity. Michael, would you like to introduce yourself?

[0:40 - 0:47] Michael: Sure, I'm Mike Switzer, I'm a product manager here at Beyond Identity and I focus on our integration strategy. Awesome.

[0:48 - 1:21] Michael: So reallywhat we're talking about here is on-prem infrastructure and legacyapplications. So, you know, we are beyond identity. We generally provide amodern, you know, authentication and identity solution and defense solution forour customers. But not every solution tends to support the modern protocolsthat identity-based solutions often support. So this is all kinds of thingslike SSH, VPN, you know, things that are part of your IT infrastructure. anykind of legacy system or home-built resources,

[1:22 - 1:41] Michael:  any kind of file shares or databases that youhave on-prem, and then a lot of virtual desktop and remote desktop typesolutions tend to use more legacy protocols. And this is something that, youknow, when we talk to customers, we hear a lot about these sort of gaps incoverage from for modern identity protocols and solutions.

[1:42 - 2:15] Michael:  If you have a a phishing-resistant MFAsolution, if you have something that uses SAML or OIDC, you tend to have toleave some of these resources out of the purview of your identity systems. And,you know, that is contributing to security challenges for our customers. Itmakes it more challenging for customers to cover, you know, the entirety ofresources. And then especially when it comes to compliance and, you know,having to prove and show to auditors that your entire infrastructure oranything that's critical is covered, having these little gaps here and thereactually contribute to really

[2:15 - 2:25] Michael:  serious challenges for customers. So this iskind of the types of resources that we set out to, you know, solve, you know,with this partnership with CrowdStrike.

[2:26 - 2:47] Kasia Kumor:  Exactly. And not only is it difficult tosecure, but we know how easy it is for attackers to bypass these legacyprotocols. Just from some lessons from previous attacks we've seen in the wildfrom Microsoft and Change Healthcare. So with Microsoft, there was a phishingcampaign for a number of years that was targeting organizations using ADFS.

[2:48 - 3:02] Kasia Kumor:  More than 150 organizations were affected,specifically in education, healthcare, and government. And attackers...exploited weak defenses in high-volume legacy environments to move laterallyand escalate attacks for financial gain.

[3:04 - 3:34] Kasia Kumor:  And with Change Healthcare, which is owned byUnitedHealthcare, they ended up actually having to pay a ransom of $22 million.100 million individuals' data was compromised because an attacker accessed aCitrix remote access portal lacking MFA, eventually was able to move laterallyand deploy ransomware. So we can actually see here how vulnerable theseprotocols can be because they typically lack these modern identity defensesystems.

[3:36 - 4:09] Kasia Kumor:  And so it really begs the question of like,what if attackers had nothing to steal? A lot of these protocols use MFA thatuses passwords or push notifications that attackers can easily bypass, whichleads to phishing, MFA bypass, lateral movement, where credentials are exposed.But removing them actually makes these attacks impossible, and it's nowpossible through CrowdStrike ITDR and Beyond Identity, which Michael will talka little bit more about how that actually works together to reach that finalresult

[4:09 - 4:12] Kasia Kumor:  of eliminating credential-based attackson-prem apps.

[4:13 - 4:47] Michael: Yeah,absolutely. You know, our solution for Beyond Identity is all about having adevice-bound, hardware-backed, phishing-resistant, you know, multi-factorauthentication solution. And traditionally, that's something that usually hasto flow through, you know, modern identity protocols like OIDC and SAML, whichis most commonly associated with your SaaS applications. CrowdStrike, canactually install an agent directly on a domain

[4:47 - 5:34] Michael:  controller that's associated with ActiveDirectory or, you know, tied to any of your legacy applications or any of youron-prem applications. CrowdStrike then detects whenever there's an accessrequest coming in, you know, to your on-prem applications using those protocolsand then inserts the beyond identity authenticator into that user flow. And theadvantage there is really that, CrowdStrike has the detection side of this, andthen we have the verification and device posture and using those sort of adevice-bound immovable passkey that is attached to the hardware of the devicethat really verifies that the user is who they say they are and the devicefollows the attributes that are.

[5:35 - 5:52] Michael:  required for your organization. So, you know,CrowdStrike has that detection mechanism and then we have the verificationmechanism. When you put them both together, you're now inserting that moremodern, you know, identity verification and, you know, authentication into yourmore legacy applications that didn't traditionally support that.

[5:53 - 6:03] Kasia Kumor:  Exactly. And as the tagline goes, CrowdStrikestops breaches, but beyond identity prevents them at initial access. So now weget to see it in action,

[6:03 - 6:04] Michael: Let's share

[6:04 - 6:05] Kasia Kumor: yourscreen, Michael.

[6:06 - 6:36] Michael: Sure thing.Okay. So I will start in the CrowdStrike Falcon console here. When you have theidentity protection module installed, you have the ability to add policies thatdetect certain types of access and then promote an identity verification actionthere. So this is the policy builder. I'm going to build a simple policy here.We're going to call it Beyond Identity. and legacy applications.

[6:38 - 6:56] Michael:  And so for the trigger of this particularpolicy, it's going to be access. So when someone attempts to access a certaintype of resource, this policy is going to be triggered. We're going to startjust without any template. This is going to be a very simple policy, but it'sgoing to protect a large section of your infrastructure.

[6:56 - 7:11] Michael:  There is some pre-configuration that you haveto do here. You have to configure Beyond Identity as an OIDC provider, and youalso have to install the CrowdStrike Falcon agent on your domain controller.But once all that is set up, building policies is super simple.

[7:11 - 7:24] Michael:  If you want to get into more detail on that,we're happy to provide you with a more in-depth demo. But for this policy, allwe're going to do is we're going to prompt for an identity verification usingthe Beyond Identity connector.

[7:25 - 8:01] Michael:  When the policy triggers, we want it totrigger based on the protocol. So I'm going to select protocol here. And thebest thing to do really is just to hit select all, because in this case, you'regoing to trigger the beyond identity authentication whenever one of theselegacy protocols are used. But for the sake of making it easy to read, I'mgoing to pick Kerberos, LDAP, SMB, and NTLM. This covers a really wide varietyof different resource access. You know, the list we showed in, you know, On theprevious slides, anything from a remote desktop to VPN to any kind of activitythat flows through your Active Directory.

[8:02 - 8:16] Michael:  There's a few different monitoring rules youcan put in here, but this is really all that you need for the authentication toactually prompt and, you know, send the users down a modern MFA path wheneverthey try to access these legacy resources.

[8:17 - 8:43] Michael:  So I am going to hit save, and it's going toask for, a little bit more tuning, but we're just going to hit save anyway. Andnow the policy is in place in our system. So what policy or, you know, that'sthe CrowdStrike side of the policy. That's where CrowdStrike is going to detecta certain type of access and then go to us, you know, go to Beyond Identity toactually run through an identity verification process.

[8:44 - 9:05] Michael:  I want to show in the Beyond Identityconsole, what that actual process is going to look like. So we have our ownaccess control policy here. This, you know, checks for CrowdStrike extended attributes,as well as the existence of our phishing resistant pass keys during thatauthentication attempt. So I can just take a look at this policy here.

[9:06 - 9:21] Michael:  But the way that this is going to work, thisis tailored to the Mac operating system. You know, I'm using a Mac currently,but you can, you know, there's all kinds of different CrowdStrike attributesthat you can, So we can check for the existence of certain user groups in yourdirectory.

[9:22 - 9:54] Michael:  We can make sure that this happens during theauthentication rather than the enrollment of the credential. And then we cancheck in addition to attributes that come from CrowdStrike Falcon, we can alsoverify operating system attributes that come in directly from ourauthenticator. And so in this case, we can verify that antivirus is turned on,that there's a firewall enabled. FileVault is turned on. This is all the sortof Mac OS requirements for doing this activity. And then within CrowdStrike, wecan actually check a huge number of attributes within

[9:54 - 10:19] Michael:  CrowdStrike Falcon to make sure that yourdevice is in compliance with anything that your EDR is checking. This is not aremediative response in the way that the CrowdStrike solution generally works.This is something that we're checking proactively whenever you attempt to login. We'll make sure that all these attributes are put in place in the right waybefore we let people into the front door.

[10:20 - 10:54] Michael:  You can also check a wide variety of otherintegrations that we support. So Jamf, for example, if you have an MDM, if youhave something else configured for these devices, you're able to checkadditional attributes for this device. So in this policy, we're checkingCrowdStrike attributes, excuse me, we're checking Jamf attributes, and we'rechecking just OS-level settings that we detect within the authenticator. So allof this policy is going to run every single time that somebody attempts to useone of the protocols that I specified in the CrowdStrike Falcon policy. So inthis case, I'm going to show a quick demo of what that looks like.

[10:55 - 11:24] Michael:  This is just a little video recording that wehave. But this is an attempt to use remote desktop, which uses the NTLMprotocol. So you go through the normal login experience with remote desktop.You type in the local username and password for the device. But then onceyou're entering this authentication process, it actually prompts the beyondidentity authenticator to make sure that you have the passkey visible. youknow, pass to you on your device that you have, that you meet all of thosestandards that I showed in the policy.

[11:24 - 11:47] Michael:  And then once that all that is approved, thenyou actually allow the access into RDP. So that's kind of the complete storyhere. We showed the access control policy in Beyond Identity. We showed thepolicy for when that policy gets run in CrowdStrike Falcon. And then we canshow the actual outcome of that, which is a very streamlined password list.

[11:48 - 11:49] Kasia Kumor:  login experience

[11:49 - 11:50] Michael: throughremote desktop.

[11:51 - 12:03] Kasia Kumor: That'sawesome. Yeah, teams can really ensure that they know with confidence that theright users on the right device, on a healthy device, are accessing theiron-prem applications.

[12:04 - 12:20] Kasia Kumor:  And there's a lot of benefits that thatunlocks for security and IT teams. Number one being zero account compromises onon-prem apps. There are no credentials to steal and therefore there's reallynothing to bypass or get around in order to access on-prem apps.

[12:20 - 12:49] Kasia Kumor:  And similarly, no, a zero lateral movementfrom credential abuse because there are no credentials that can be shared andreused throughout various applications. It secures legacy protocols withoutadded user friction. As Michael was showing, it's the same process of username,password, and then it checks the health of the device and if it's the rightdevice through that passkey. But it's not like they're reaching for a phone fora push notification or a one-time code that adds typically user friction.

[12:50 - 13:08] Kasia Kumor:  And lastly, it extends your CrowdStrike, yourexisting CrowdStrike investment and signals to block access attacks. So thesignals that you're already spending on with CrowdStrike can be used in accesspolicies. If full disk encryption is turned off, that is something that canprevent someone from logging into your on-prem apps.

[13:09 - 13:21] Kasia Kumor:  And also, if there are any crowd credits thatyou have in your marketplace, that is something that can be used towards BeyondIdentity. So check that out. We're on the CrowdStrike marketplace with somemore information, and you can get started there.

[13:21 - 13:39] Kasia Kumor:  Or go to beyondidentity.com slash demo for apersonalized demo. But thank you so much for joining us. I hope this wasreally, really helpful. Please give us feedback anytime we respond to anyemails or any requests for more information. We'd love to show you more. Sothank you again.

[13:40 - 13:40] Kasia Kumor:  Thanks a lot.

‍