In this podcast, Ned Miller, CrowdStrike Federal VP, and Andrew Harris, CrowdStrike’s Sr Director of Global Public Sector’s Technical Strategy, discuss how zero trust identity protection solutions help the public sector prevent data fabric breaches and reinforce legacy authentication protocols.
Ned Miller
Welcome to the CrowdStrike Federal Podcast Series. Today we'll discuss identity protection and where it aligns to a sound Zero Trust strategy. The last several weeks have been busy time and government for cyber. The White House released a new ambitious national cybersecurity strategy. The NSA released a new Zero Trust guidance focused on identity credential and access management capabilities. We've seen CrowdStrike also recently released its 2023 Global Threat Report. One of the key messages of the threat report highlighted that last year 80% of the cyber-attacks leveraged identity-based techniques to compromise legitimate credentials to try to evade detection. This year, the report shows adversaries are doubling down on stolen credentials with 112% year over year, increase in advertisements for access broker services identified in the criminal underground. So, today we'd like to explore identity protection as it relates to ICAM. And joining me today is Andrew Harris, Andrew is CrowdStrike's, Senior Director of Global Public Sector's Technical Strategy. And I'd like to welcome Andrew. Andrew, welcome to the podcast.
Andrew Harris
Thanks, Ned. Appreciate it.
Ned Miller
So, Andrew, I'm looking forward to the conversation today. Because I know that identity is an area that is very close to your background. And you spent a lot of time in this arena and answering a lot of questions. So let me start with CrowdStrike has a unique perspective, when we say the words identity protection with our customers, one that's very different than when we typically would describe credential management or ICAM, or FICAM. In the case of the federal government. Can you take a moment and share with our audience your perspective and how you would first define identity protection versus ICAM?
Andrew Harris
Absolutely, Ned. It's a great question. CrowdStrike is uniquely positioned to ultimately get visibility across the entire identity plane. And what I mean by that is identities exist in multiple locations all at the same time. So, for myself, for example, my identity exists on my MacBook here, right in front of me, it could exist in when I log on to say our exchange, it exists when I access AWS. I have identities in Salesforce. And an attack against any one of those applications that has my identity exposed is an attack against my identity and an attack against all of the rights I have access to. So, if I'm an administrator, and I have command and control capabilities, we need to lock that down and figure out exactly where that administrative privileged account is exposed to. So, with CrowdStrike, we get visibility of on premises Active Directory, thanks to Falcon identity protection, we sit in line, to Kerberos NTLM, authentication and LDAP. Although we also integrate with those other identity providers, like Okta, like Ping, like RSA, and we can actually do MFA. So, the piece that completely differentiates us across any of the other market is the fact that we can actually secure that entire ecosystem of identities, we can build risk score across all that telemetry from all those data sources. And we can apply multi factor authentication, where it is literally impossible to do it today, on top of NTLM, on top of what's called Legacy authentication protocols, which other vendors cannot apply. So really, we are actually amplifying and increasing the return on investment of those ICAM investments customers are making.
Ned Miller
Great, Andrew, thank you. I think that's a pretty well-defined statement. But with that being said, let's talk how this would align to the Zero Trust guidance from what we consider the authoritative sources across government. So NIST is defined Zero Trust, this is defined Zero Trust, NSA is released a couple of publications. Now, DoD has their version of Zero Trust, as it relates to identity. So specifically, if you were a government customer, and trying to interpret what those guidelines suggest, and you look at ICAM, and now you're being told by us and others, that there's this new attack vector that can be done against your ICAM environment. How would you suggest that a customer begin to look at identity protection as part of their overall reference architecture?
Andrew Harris
Identity Protection, in many cases has to be one of the first major place to start looking broadly, again, with that new definition of identity, knowing that it spans across multiple digital estates or across multiple ecosystems with potentially different identity providers depending on that part of the ecosystem. One you need full visibility to when you look at vendors You have to ask yourself is the solution going to fix one of these digital Estates is going to fix all of those digital estates. Again, CrowdStrike is uniquely positioned to grab telemetry from all those and become an enforcement point. And where we are doing integrations into those other SAS identity providers, we are providing signal into that enforcement point. So ultimately, again, if we are seeing an attack against on premises Active Directory, we can actually inform influence Okta by making modifications to security groups by sharing risk scores. So, Okta, when it sees that user authenticating will literally modify its behavior. So, we are modifying our own conditional access, and we plug into in the spirit of Zero Trust, other people's conditional access. Ultimately, what that means is we are providing the most influential signal to parts of the architecture for our customers where they need that enforcement point. So really, again, from a commander's intent, looking at Zero Trust, and how folks are defining ICAM. There's a lot of work going on an ICAM right now of how do I ensure when Andrew presses when I press that magic button, just to prove my multifactor authentication, if that press is really, Andrew, what we're again doing is extending that across all your digital estates across all those identity providers. And that's probably one of the biggest myths, Ned that when I talk to customers, when they think Zero Trust, they believe it only applies to the cloud, that they have to do it modernization, they have to move their entire application workload to the cloud, to achieve these outcomes. And what we're talking about right now is that is not the case, the fact that we can apply multi factor authentication against those legacy applications without even touching the application to bring conditional access to it. That's the game changer.
Ned Miller
Yeah, Andrew, you bring up a great point, you know, the perspective that many folks don't necessarily have is the ability to monitor ICAM infrastructure once it's in place, right. So ICAM has been around for quite some time. Recently, NSA produced additional guidance literally here just within the last month or so focusing on helping customers advance to finding as their Zero Trust maturity model through the user pillar. And a lot of what you talked about was where we help other organizations leverage their multi factor authentication capabilities to determine the health if you will have the individual and the assets that's coming into request resources. The guidance goes on to suggest that there should even be a visibility and analytics capability on top of the ICAM infrastructure itself. So, this is falls under what NSA describes as their advanced age, right, their intermediate and advanced stages of Zero Trust. So, given your explanation of how CrowdStrike's Falcon identity protection works, and the implication of our recent Global Threat Report, where it's certainly is the highest one of the highest attack vectors that we're seeing across the board, where would you say that we could position in a reference architecture, the identity protection piece? So how does that work against the what the latest guidance is from NSA seems to me that we fit very neatly in the ability to audit things like Active Directory, as well as their ICAM infrastructure. Is that a fair assessment?
Andrew Harris
Yeah, it's a fair assessment. And I'd say we, in many areas, excel beyond what they're even asking for in some of those maturity models. And what I mean by that is, if you look at some of the latest metrics, 71% of attacks that CrowdStrike has been detecting with threat intelligence. 71% of those attacks have no malicious binary, include legitimate credentials that are being used illegitimately. Which means the only difference between a malicious activity and someone just regular using their computer is intent. So how do you actually measure intent? I better have really strong telemetry of how often someone's logging in which endpoints they're talking to, how are they logging in, where are in the world or those endpoints they're talking to times of day when I'm logging in all sorts of attributes. And again, on the CrowdStrike ecosystem, we have at minimum, I believe, 40 attributes just as I do a local log on to my MacBook here, right in front of me. And again, that is necessary for us to identify abnormal activity. We also have, of course, discrete detections, if I see an activity in that map's to some kind of privilege of escalation. That's the pretty easy use case. And again, we have that capability against Active Directory ADFS servers. And we work with our partners to do the same thing with Okta, Ping, and so forth. The piece that gets really interesting, though, is majority of logins that we see in the network have nothing to do with a user. There are nonhumans there are service accounts there. The SolarWinds breach that we saw where you see a downstream impacted the supply chain, all of a sudden application has an impact. Did you see the service account impacted, known as monitoring the service accounts because quote unquote, they're not users. They're a service account. They can't do multifactor authentication. The thing that again separates us from everyone else, is we automatically triage and say that is a service account, it should be acting as a service account. A service accounts should never RDP into Active Directory, it should never do an interactive logon, where someone is literally pressing a key on a keyboard to enter a PIN to put a password into an RDP prompt. We detect service accounts; we ensure that service accounts act in context of a service account. And again, we can also extend where no one else can, again, that example of PowerShell people are so scared of PowerShell, they can't do PKI. On top of it, you can't use smartcard, but we can apply multi factor authentication to PowerShell. To get that increased ability and confidence of that administrator trying to patch 40 Different Exchange servers can actually programmatically do that via an MFA prompt. Again, no other vendor can do that. And all we're doing is extending the ICAM solution that customers already used in a way that they've never been able to apply before. That's where we exceptionally Excel and broaden the definition of that maturity model you just shared.
Ned Miller
Great, Andrew. Thank you. And that that leads me to one of my favorite questions and topics that you and I have talked about an awful lot you touched on it a bit during the answer to this last question. But specifically, we know from our experience, as an example, that Active Directory is a very high value, considered a very high value target for the adversary, given that it holds a tremendous amount of valuable information and kind of keys to the kingdom for many organizations, specifically, where identity is concerned. So with CrowdStrike, Falcon identity protection, let's just focus on that one area, because there's so many of our customers in government that are that are leveraging Active Directory, how can we really help those customers, take it to the next level to provide some protection, and at least audit and play that watch or watching the watcher function?
Andrew Harris
Yes, so there's two parts of Active Directory. And again, unfortunately, I'd say 50% of the time our customers sometimes forget about one of these. Active Directory is both an operating system. And it's also an application, if I compromised the operating system part of Active Directory, I can of course impact and compromise all the applications on top, I can also attack Active Directory through the application itself, the what I mean by that is taking over domain admin enterprise admin account, there is no security boundary on an Active Directory server between operating system and application, what we recommend to customers is installed both an EDR solution hopefully CrowdStrike and install identity protection, hopefully CrowdStrike. The second you install identity protection on that computer, Active Directory, one is the same agent now. So, we only want you to touch the computer once. So, we have the same agent providing both functionality as long as the customers licensed for it. But we automatically start identifying what is normal look like? Where are your domain admins exposed to where how, which computers, they normally logging into? How are they logging into? Are they exposing their credentials, their highly privileged credentials that if ever compromised, will bring down the entire on premises environment, and potentially in most likely compromise cloud service providers. Because usually, it's the same account that's then writing the route of trust between on premises and the cloud. Right off the bat, you're getting that telemetry of looking for anomalous behavior, there is no risk, we then start telling customers start ratcheting up the security. If I know that I should only be exposing such highly privileged accounts to very specific computers, you can start building policies to enforce credential segmentation, that is a massive win just right off the bat. It prevents lateral movement. For certain accounts, it prevents the exposure and unnecessary exposure of highly privileged accounts to less trusted devices. And we haven't even talked yet about device hygiene where I can actually use CrowdStrike, EDR, and identity protection to force highly privileged accounts to only be exposed to highly trusted and compliant devices that are also being managed by CrowdStrike, or one of our partners. So simply installing an agent, you're off to the races and you can slowly ratchet it up as you get more mature in your thinking of Active Directory security with identity protection.
Ned Miller
That's great, Andrew, thank you again. Extremely valuable guidance here to customers that are constantly defending as it relates to anything identity. Andrew, a final question for you. We'll start with a couple of observations or two and then the question itself. So, first observation is it almost sounds as though even when we begin with the premise that customers have a Zero Trust mind set, it's somewhat suggests we should assume the worst first posture standpoint, however, we're still encouraging the concept of a continuous monitoring and a trust eventually reality, right. So, the second observation is, a thought comes to mind the guidance, customers must have or should have an independent verification validation capability to achieve a really mature state of Zero Trust really does sound like they need to also have a continuous audit concept to confirm that the Zero Trust infrastructure is actually working. So, Andrew, there's a long way to get to the question. But in terms of framing, if you were to put on your trusted advisor hat, as we often asked you to do for a moment, and you had the wand for the day, what three recommendations might you have for our audience, when they begin to get an understand this concept of there's more to the Zero Trust maturity model than just selecting specific technologies to align against their reference architecture? There's another factor that they really need to consider.
Andrew Harris
Yeah, it's one of my favorite topics, Ned. And to me, it always comes down to again Commander's Intent, or just what is Zero Trust trying to drive towards. And to me, it's a couple of simple words. That's essentially cyber and mission resiliency. And that to me is the NorthStar that CrowdStrike needs to hold itself accountable and all the partners and that's what our customers expect. And if we're not doing that, and if vendors are not doing that, then customers should hold vendors accountable. So, what I ultimately mean by cyber and mission resiliency is as they look at vendors, is it actually going to increase their resiliency? Or is it going to create just another single failure fault point? Again, I won't name vendors, but say an identity provider goes down, can the platform still be operational? Can they still log on to the system to manage the endpoints? Can they still carry out their mission in complete operations? To me, that's the first question, you ultimately want to make sure you're driving towards that that net goal. It also goes by to why there's recommendations of having say, hybrid ecosystems where you're both on premises in the cloud, and most likely, with multi cloud service providers as your solution. The other piece, I would say is, as you look at those vendors trying to again, use the marketing term Zero Trust, are they actually going to meet all of the digital estates I talked about? Or is it just one of those digital estates. And again, going back to the myths that I hear all too often, many customers approached this as I only have to really apply this to the cloud, when I think a multi-factor authentication, that really just means for web apps, those are all myths, most customers don't know that you can actually apply again, multi factor authentication to those legacy, quote unquote, protocols like Kerberos, and NTLM, which is probably where 99% of their applications are using today. So again, that second question they have to ask themselves, is this actually gonna be a solution across all my digital estates? And if not, what other solutions do I actually have to buy? And at least be aware of where the blind spots are? If you're not aware of what's happening in Active Directory on premises, just like we've all seen, what, a year and a half ago solar winds, you're gonna have a really bad day, one day, when you wake up in your cloud is no longer your cloud. And probably the third thing is just that vendor lock in it kind of goes back into your IV and V question, do I want the arsonists to kind of put up the fire? Do I want the fox to watch the henhouse? Again, if you make decisions, and you are going to get further locked in to a particular vendors ecosystem, whether it be because it's just cheaper to use that entire ecosystem, or if it's just purely because they only integrate into their own ecosystem, and therefore it just removes options down the road for you to buy best to breed cybersecurity capabilities is something else for vendors, or for customers to be aware of. So those are probably the three big things again, Mission resiliency being the top and utmost emphasis. And everything else after that kind of naturally comes with it again, is it going to be applied across all my digital estates and if not where those blind spots is, it's gonna open up more options for me, I'm gonna start getting that vendor lock in that every single customer should pre pretty much afraid of because we all know if once you get a vendor lock in, those skew prices tend to go up as the other vendor knows. They kind of got you.
Ned Miller
Great. Andrew, thank you very much for your participation today. And thank you to our audience for listening into the CrowdStrike Federal Podcast today. Please join us for our next podcast session where we'll cover Zero Trust hunting at the edge. And I'd also like to extend an invitation to all of our listeners to join us at the CrowdStrike Government Summit occurring on 11 April, at the Marriott Marquis in Washington DC, you can register at govsummit.crowdstrike.com. Thank you very much and have a great day.