CrowdStrike Falcon for AWS
Maximize Protection of Amazon Web Services (AWS) Workloads
The advent of cloud technologies brings the opportunity to store, process and distribute vast quantities of data at the push of a button. Amazon Web Services (AWS) has been at the forefront of making this a reality. Organizations are increasingly moving mission-critical applications and data into AWS and taking advantage of the massive compute power of Amazon EC2.
Many of today’s organizations maintain environments that are a combination of on-premises, virtual, and public cloud data center solutions, but such environments are dynamic and can pose unique security problems. The ability to scale compute power elastically and ephemerally within EC2 brings with it tremendous operational and business gains, however, practical security considerations are critical. Gaining comprehensive visibility and insight are key to maintaining an adequate security posture, but doing so is not without challenges:
- Discoverability — Organizations want to quickly and efficiently discover all EC2 instances and identify unprotected / unmanaged assets, allowing them to be put under management as needed.
- Context — As analysts triage detections, they may lack appropriate context about EC2 instances and need answers to questions such as: Is this system internet accessible? Does it have IAM roles applied with elevated privileges? Is it on the same VPC as other critical assets?
- Consistency — As organizations implement hybrid data centers, with workloads running onpremises and in the cloud, maintaining consistent security becomes difficult. Organizations need visibility and control over their endpoints whether they are running on-premises or as an EC2 instance in AWS.
- Efficiency — Time is a critical resource for operations and security teams because too often they find themselves having to pivot across a variety of tools and workflows, as they attempt to span physical, virtual and cloud environments. Ideally, teams want one tool that allows them to span their existing on-premises endpoints and Amazon EC2 instances, quickly and effectively.
- Ease of deployment — Security needs to match the speed and agility of DevOps. Visibility of an EC2 instance needs to be achieved instantaneously without having to install yet another agent and removing the need for DevOps to implement install scripts, etc.
What makes Falcon Discover for AWS unique?
An integral part of the CrowdStrike platform, Falcon Discover for AWS extends visibility over all EC2 instances, enabling security professionals to more quickly identify and stop threats:
- Gap analysis: Identifies protected and unprotected EC2 instances in your environment
- Improved effectiveness: Provides additional information and context about EC2 instances, improving protection and response actions
- Real-time visibility: Gain visibility across your entire environment, whether EC2, virtual or physical via the Falcon Management Console
- Ease of deployment: Falcon Discover for AWS is delivered via the lightweight Falcon agent without affecting performance
- Cloud-native: It scales easily to match the dynamic nature of ephemeral EC2 instances
EC2 Visibility Transformed
The CrowdStrike Falcon platform for AWS provides extensive and detailed visibility over EC2 instances, helping improve an organization’s overall security posture. It quickly enumerates existing EC2 instances in one centralized view, allowing you to immediately identify security gaps. Rich AWS-specific context is presented to allow for timely triaging and response to security events on EC2 instances.
Breach Protection for AWS Workloads
Continuous and comprehensive workload monitoring, including container visibility, ensuring nothing is missed and stealthy attacks can be stopped.
Protect against breaches with unparalleled coverage. Defend against threats from malware to the most sophisticated attacks.
Built in the cloud for the cloud. Reduces the overhead, friction and complexity associated with protecting cloud workloads.
Enable cloud security to keep up with the dynamic and flexible nature of AWS workloads.
Built in the Cloud to Protect the Cloud
- Full EDR prevents silent failure by capturing raw events for complete visibility
- Visibility into incidents involving containers with process trees showing container IDs
- Full attack visibility provides details, context and history for every alert
- Event details and a full set of enriched data is continuously available, even for ephemeral and decommissioned workloads
- Rogue instance detection
- Extensive AWS visibility: Environment, accounts and instances
EC2 and Container Protection
- Machine Learning and AI protects against known and zero-day malware
- Protection against prevalent cloud workload threats like web shells, SQL shells and credential theft
- Behavior-based indicators of attack (IOAs) detect sophisticated attacks such as fileless and malware-free
- Exploit protection and blocking
- Delivers container security through a single agent running on the node that protects the instance itself as well as all containers running on it
Simplicity and Performance
- Works everywhere: EC2 instances, ECS & EKS containers, Windows, Linux, Amazon Linux
- One console provides central visibility over cloud workloads regardless of location
- No reboots — No signatures — No scan storms — No disruption
- Lightweight — Operates with only a tiny footprint on the host and Zero impact on runtime performance even when analyzing, searching and investigating
- Automatically kept up to date with SaaS delivery
- Complete policy flexibility — apply at individual server, group or data center level
- Automatic detection of attacker behavior with prioritized alerts and severity eliminates time-consuming manual searches and assessments
- Integration with CI/CD deployment workflows
- Powerful APIs enable automation of all functional areas including detection, management, response and intelligence
- Scales as cloud workloads expand — no need for additional infrastructure
- Integrates to AWS Security Hub for centralized management of threat alerts from AWS services
Real-Time Visibility and Control of your Amazon EC2 Instances
CrowdStrike Falcon Discover™ for AWS provides extensive and detailed visibility over EC2 instances. It quickly enumerates existing EC2 deployments across all regions (including instances without the Falcon agent installed) and subsequently monitors cloud trail logs for any modifications to the environment. The data captured is presented in a dashboard in the Falcon Management Console, allowing users to quickly identify all EC2 assets running across all AWS accounts and regions in one centralized view. This dashboard will also highlight instances that do not have Falcon installed, allowing customers to quickly identify security gaps. In addition, rich AWS-specific context will be presented to allow for timely triaging and response to security events on EC2 instances.
Use Case: Gain Additonal Context Surrounding Alerts
Challenge: Typically, Amazon EC2 instances are running critical applications. When responding to an alert, analysts need a more complete picture of the impacted system.
Solution: In the Falcon detections app, you can identify an alert on a server, drill into the alert, pivot into host details and highlight all the AWS information that’s available, for example:
- Who is the account owner of this system?
- Is this system internet accessible?
- Does it have IAM roles applied with elevated privileges?
- Is it on the same VPC as other critical assets?
- What are the rules of the security group associated with this instance?
Armed with this information, you can take the appropriate action to deal with the alert.
Benefit: The ability to make the appropriate triage and remediation actions based on complete information leads to accurate and faster decisions. This ensures that business operations are not negatively impacted and that an advanced persistent threat (APT) doesn’t have time to spread laterally.
Use Case: Finding Unprotection Amazon EC2 Instances
Challenge: Organizations can quickly deploy instances, however, their ephemeral nature can make it difficult to quickly and efficiently discover all EC2 instances and identify unprotected / unmanaged assets.
Solution: Falcon Discover for AWS quickly enumerates existing EC2 deployments across all regions — including instances without the Falcon sensor installed — and subsequently monitors cloud trail logs for any modifications to the environment. This allows you to:
- Drill into unmanaged instances and use a tag to filter on all “prod” servers that are currently unprotected
- Use filtered data to create a report and export it
- Send that information to infrastructure teams to resolve identified security gaps
- Filter the information based on account names to generate reports and track how security posture is trending for different account owners
Benefit: The ability to quickly and efficiently identify unprotected / unmanaged EC2 instances allows them to be put them under management by installing the Falcon agent as needed.
Use Cases: Monitor and Search Metadata to Improve Security Posture
Challenge: It can be difficult to ensure consistency across EC2 instances and their respective security groups. For example, how can you know with certainty the specific EC2 instances that are permitting remote desktop protocol (RDP)?
Solution: Using the Falcon Discover for AWS dashboard allows you to:
- See AWS-specific metadata including, Instance ID, Instance Type, State, Region, AZ, Security Groups, Subnets, AMI Id, Tags and more
- Drill into security groups
- Filter for those groups with internet access Identify, filter and make changes to any group or EC2 instance in security groups that permit RDP
- See both CrowdStrike and AWS information in the same host dashboard
Benefit: The ability to quickly and effectively access AWS-specific metadata in real time and in one console gives analysts the information and confidence they need to take the appropriate corrective actions.
Use Case: Review Rate of EC2 Launched Over Time
Challenge: Given the ease of deployment and the ability to scale, it can be difficult to get an overview and track the rate at which EC2 Instances are being launched.
Solution: Using the Falcon Discover for AWS dashboard allows you to:
- See what EC2 instances have been launched by day, week or month
- Review the rate at which EC2 instances are being launched across all accounts and then drill into specific accounts
Benefit: The ability to quickly and effectively track EC2 instance launches in one dashboard and drill into specific accounts as needed offers both the overview and details analysts need.
CrowdStrike Integration with AWS Security Hub
Download the CrowdStrike Falcon for AWS Datasheet (.PDF)