CrowdStrike and Beyond Identity

Beyond Identity’s Technical Director, Chris Meidinger, reviews CrowdStrike's approach toward zero trust and how its core Falcon platform can both inform Beyond Identity’s Zero Trust Policy Engine to provide continuous, real-time user and device verification and take action to secure the environment when endpoints go out of compliance


Hi. In this demo, we're going to show you the Beyond Identity Secure Workforce integration with CrowdStrike Falcon. There are three key elements in the integration between Beyond Identity and CrowdStrike. One, Beyond Identity can enforce access controls to validate that endpoint devices have a healthy CrowdStrike agent and optionally CrowdStrike Zero Trust Assessment score before authenticating them to access applications and data. 

Two, that authentication happens continuously. We're validating continuously that endpoints remain secure and compliant throughout the user session in order to, three, if an endpoint falls out of compliance with policy, whether CrowdStrike-specific or any other policy rules, we can automatically quarantine it via CrowdStrike Falcon when it attempts to log in, or within minutes if detected by continuous authentication. 

We'll show the technical integration in the context of a quick use case, briefly showing the benefit of having Beyond Identity validated. Endpoints are actively protected by Falcon before allowing them to access resources. To set the stage, everyone knows you can't defend what you can't see, and the asset inventory is the starting point for both effective incident response as well as your vulnerability management program. That's where the integration between CrowdStrike and Beyond Identity particularly shines. 

Beyond Identity can gather context from CrowdStrike Falcon when deciding whether to allow an endpoint to log into your SSO environment or to any of your SaaS or SSO-enabled apps. Beyond Identity can ensure the CrowdStrike sensor is enabled with a valid connection to the correct CID on your endpoints, as well as verifying that the CrowdStrike ZTA score is within an acceptable range before deciding whether to allow login. 

Also, we have monitoring hooks available, for example, to log instances of endpoints that are nearly out of compliance and create help desk tickets to remediate them or push information into your SIEM. In extreme cases, the Beyond Identity policy engine can impose network quarantine via CrowdStrike when endpoints go out of compliance, whether that's via analyzing the ZTA score or more commonly, due to other contacts in the endpoint such as firewall or disk encryption being disabled or the endpoint being removed from MDM. 

Let's take a look. In this brief scenario, we'll start by showing you the user experience of a typical incompliance Windows user on a typical endpoint and then demonstrate the policies that were in effect. So, what I have here is a Windows user endpoint and I'm going to go ahead and log in. And as you'll see, the user login for this user using Beyond Identity, and we'll click on our username, Michael Scott, and you'll see Beyond Identity is being grabbed in the background. 

Identity is being verified. The pass key in TPM in the cryptographic hardware of this laptop has already been validated. I'm going to put my finger on the reader now in order to confirm my identity as an authorized user and get into my email here. 

Simple, smooth, frictionless login. As you can see, we've accessed Gmail, so simply a third-party cloud email provider from our local endpoint. But what's interesting is what's happening in the background. Let me go ahead and jump over into Microsoft Azure. This user, Michael Scott, happens to be fairly high up in his organization and he's going to have administrator access to the Beyond Identity system. 

Same deal again. Identity will be verified, fingerprint biometrics are also going to be verified and I will get into the Azure environment where I can open the administrator console. And I can show you this console all day and show you all the cool features. 

But I want to focus on just sort of two things. First, I want to look briefly at the policy so get a sense of what's happening in the background. So as we can see, there's different rules happening. Different rules configured. For an employee login on Mac, what are our requirements? What happens if we discover that a firewall has been disabled? 

Employee login on Windows. What are our requirements? That's what I want to show you right now. So, we can go and we can see if an employee is logging for an authentication transaction, if they're in the user group end user. So just a regular employee and they're on a Windows platform. We have a few things we want to see. 

We want to see the firewall being enabled, we want to see BitLocker. So the disk encryption is enabled. We could go and do lots of other stuff. Oh, there we go. We could look for domain names, installed applications, running processes, registry keys, running services. But here we're just doing a pretty basic configuration. We want a firewall, we want an encrypted disk, and we want CrowdStrike Falcon. 

And this again is the neat thing here, right? So we're linking a login to any cloud app, any SaaS app, back to at endpoint, having Falcon on it, being part of your asset inventory, being known to be in compliance. And if those things are true, then we allow that user log on with the OS verification. OS verification, in this case, means biometrics. 

We leverage the Windows Hello system on Windows or the Touch ID on Mac to use native functions in order to use a biometric because they're available. I'm going cancel out of here. The one other thing I want to show you briefly is just what this looks like in logging. I mean, logging is not always the most exciting piece, but I do want to show you just briefly what this evaluation looks like because we're going to see graphically what was evaluated. 

So, we can see the first rules didn't match. There was an authentication transaction that was happening. It was for an end user but wasn't on Mac, didn't have firewall, so that one didn't match. We had a user group, an end user on Windows, but his firewall was not disabled. That didn't match up. 

Here we have a match. The authentication transaction for an end user on Windows with the firewall, with BitLocker, with CrowdStrike, all the things we're looking for. Then we allow them and with, again, OS verification. You saw me put my finger on the fingerprint sensor in order to verify that I, as a user, authorize this transaction. 

The key takeaway here is we seamlessly link cloud or any SaaS app login back to corporate security, ensuring that no endpoints get access to data. They're not compliant and in your asset inventory. Now, I'll briefly show you what it looks like when that user goes rogue. In this case, the user wants to disable the firewall on their laptop to just quickly download some movie that a friend recommended. 

We can see here, Mike's got an email from his erstwhile compatriot, Todd Packer. "U have to check this out, Miiikeey." What's he saying? All right, "Mike-dog," download some software. Oh, great. To get some movies. Okay. 

He's recommending BitTorrent, saying he's got to disable the firewall and then get the software to download the films. Of course, Mike, being Mike, says, "Thanks, I'll check it out for sure, Todd." Sends that off. All right, first job, disable the firewall. So, Mike is going to open up the settings and he's just going to search here for firewall. Windows Defender Firewall. 

Sounds like a good candidate. Turn on or off. Also, a good candidate. Going to go ahead and turn off. Looks like the firewall is off. All right. We will go back here and connect back into Azure. 

Now the firewall has been disabled. Using our regular email account we're going to, as expected, use the Beyond Identity authenticator and checking the... Boom. Dilation detected. 

Sending dementors. Now, you may, at this point, no longer even have video because the endpoint has been immediately quarantined by the Falcon agents. What I see here on the screen, it says security violation detected, and the dementors are being sent. And I have a notification from CrowdStrike that the endpoint has been removed from the network for the safety of all involved. 

So, what I will do now that we've lost connection on the…correctly lost connection to that machine is I'm going to go into, I'm not showing you this, but I'm just going to go into CrowdStrike console and refresh and select that host and I will lift containment. There we go. 

The network should come back here in just a moment. And yeah. Here you can see the message that Michael saw, the last thing that he saw before his computer was kicked off the network, and I will go ahead and close that out. First thing we need to do is get the firewall back. Otherwise, we run a risk of the continuous authentication discovering that it is still off and kicking us off again. 

So, I'm going to jump in here, turn the firewall on, turn the firewall on. Okay, okay, okay, we're back. And see if I can log back on to Azure. Now that I'm back in compliance. Let's see if it did it right. Looking good so far. And, boom, here we go. 

Fingerprint on the reader. We will jump back into Azure. Not going to stay signed in, as I said, because I show this all the time. Jump back into our administrator console and just briefly show you what that looked like from a policy perspective here. We got this policy denied, and when I go in, I can see exactly what policies were evaluated. 

The authentication, again, this wasn't Mac so that policy didn't fire, but this one did fire. So, we had an end-user on Windows with no firewall. So, our actions were to deny and quarantine via CrowdStrike with the custom message special for Michael Scott that the dementors are being sent due to that security violation, we kicked them off the network. 

So what you saw here is despite the user being authorized and in good standing as an employee, the device is out of compliance and it's been quarantined, isolated from the network, which is happening again at cloud login, right? So again, the neat thing here is we're linking the login to a SaaS app back to the hardware inventory that belongs to your enterprise. 

To recap, only authorized devices that meet security policies, in this case, are protected by CrowdStrike Falcon and have things like firewalls are allowed to access resources. If an endpoint falls out of compliance, if a user, as in this example, or an attacker could also be… turns off the firewall or whatever other security compliance settings we have, removes a device from MDM, disables other security settings. 

That device can quickly be quarantined either immediately at login or on a rolling basis as the security policies are reevaluated every few minutes. This continuous authentication is fundamental to Zero Trust. Never trust, continuously verify, and take action before an adversary is able to break out and establish control.