RSAC 2022: Introducing CrowdStrike Asset Graph — the Path to Proactive Security Posture Management

Driven by all the new technologies being adopted and the move to the cloud, the number and types of assets an organization has to manage increased nearly fourfold over the last 10 years. As a result, organizations are at risk to adversaries, who continually conduct reconnaissance to identify, target and exploit soft targets and vulnerabilities. The proliferation of assets also creates an untenable situation for IT to minimize service disruption as asset configurations are changed and patches are applied. Gaining visibility and being able to manage both known and unknown assets is critical to maintaining proper security hygiene and a proactive security posture, but remains an unsolved challenge for nearly every organization.

 

The scale of the challenge is immense: hundreds of thousands of assets and devices, with hundreds of thousands of accounts logging into those workloads, with thousands of applications running. For true cloud-based solutions, this problem becomes exponentially harder with hundreds of millions of assets, hundreds of millions of users, running tens of thousands of applications. One of the biggest obstacles today in operationalizing security posture management is the lack of understanding of the cascading impact of any configuration change. For too long, security posture management tools have focused on the security impact of proposed mitigations, but are unable to understand the operational impact such a mitigation may have on the organization. This creates a gap between security and IT teams, resulting in huge hurdles for implementing any change.

 

Let’s take a simple example of mitigating a vulnerability in a deployed product. First, it is almost impossible for any organization to even keep track of published vulnerabilities and associated patches due to the pace at which vulnerabilities are being discovered. Second, even if an organization knows about a mitigation, they cannot deploy it fast enough before exploits are available in the wild. That is because of the aforementioned lack of insight into the ITOps impact of any patch. The result is an ever-increasing attack surface and IT and security teams that are often at loggerheads. Gaining a single, unified, 360-degree view of assets, identities and configurations across all systems — including cloud, on-premises, mobile, IoT and more — and understanding how each of these assets interacts with each other, provides a bridge to IT and security operations.

 

For security teams, this level of dynamic visibility empowers them to discover and catalog every asset and its interconnected relationship to better understand the configurations, vulnerabilities and exposures that an adversary might try to exploit. And IT operations can better manage, maintain and track assets across the organization to better minimize service disruption, ensure system uptime and support other critical IT projects.

 

CrowdStrike has always focused on solving the hard problem first by developing innovative, scalable solutions, and we are now applying the same approach to this area of security posture management. That’s why I’m so excited to announce that CrowdStrike today unveiled the CrowdStrike Asset Graph, a new graph database underpinning the CrowdStrike Falcon®® platform.

 

CrowdStrike Asset Graph dynamically monitors and tracks the complex interactions among assets, providing a single holistic view of the risks those assets pose. Asset Graph provides graph visualizations of the relationships among all assets such as devices, users, accounts, applications, cloud workloads and operations technology (OT), along with the rich context necessary for proper security hygiene and proactive security posture management to reduce risk in their organizations — without impacting IT.

Asset Graph: Powering the Falcon Platform and the Future of IT SecOps

CrowdStrike has once again done the hard, architectural work up front to deliver superior protection, performance and value from the Falcon platform.

 

Asset resolution — the merging of small pieces of information from various sources and systems into a single view of the asset — continues to be an unmet challenge in the industry. For instance, one system in an IT environment may register a device by IP address, while another system registers it by user name. This problem grows more complex depending on how and where the asset is used (internal networks, on cloud networks, etc.) and the number of data sources used to track inventory. According to ESG, nearly one-third (32%) of organizations utilize 10 or more data sources to track and inventory their assets for security purposes. This makes it incredibly difficult for organizations to gain a unified view of their assets — and conversely, makes it difficult to ensure that disparate assets are not conflated with a different asset of a similar name from another system. The data exists to make these distinctions, but resolving assets across myriad systems has proved elusive, until now.
Figure 1. CrowdStrike Asset Graph shows every entity (device, IoT, identities, etc.) on a customer network and how they all interact. This insight helps organizations make better decisions — from security to IT performance, utilization, capacity, license management and more — to proactively protect and manage their IT environment. (Click to enlarge)
The CrowdStrike Falcon® platform was purpose-built with a cloud-native architecture to harness vast amounts of high-fidelity security and enterprise data, and deliver solutions through a single, lightweight agent to keep customers ahead of today’s sophisticated adversaries.

 

 

CrowdStrike’s groundbreaking graph technologies, beginning with the company’s renowned Threat Graph®, help form a powerful, seamless and distributed data fabric, interconnected into a single cloud — the CrowdStrike Security Cloud — that powers the Falcon platform and CrowdStrike’s industry-leading solutions.

 

Using a combination of artificial intelligence (AI) and behavioral pattern-matching techniques to correlate and contextualize information in the vast data fabric, CrowdStrike’s graphs create a “collect data once, reuse it multiple times” approach to solving the biggest problems customers face. With the introduction of Asset Graph, CrowdStrike is applying this same approach to solving customers' hardest, unmet challenges with an eye to proactive security, as well as unprecedented IT visibility and risk management.

 

 

The three highly advanced graph technologies underpinning the Falcon platform now include:
  • Threat Graph: CrowdStrike’s industry-defining Threat Graph takes trillions of security data points from millions of sensors, enriched by threat intelligence data and third-party sources, to identify and link threat activity together to provide full visibility of attacks and automatically prevent threats in real time across CrowdStrike’s global customer base.

     

  • Intel Graph: By analyzing and correlating massive amounts of data on adversaries, their victims and their tools, Intel Graph provides unrivaled insights into the shifts in tactics and techniques, powering CrowdStrike’s adversary-focused approach with world-class threat intelligence.

     

  • Asset Graph: With this release, CrowdStrike is solving one of the most complex customer problems today: identifying assets, identities and configurations accurately across all systems including cloud, on-premises, mobile, IoT and more, and connecting them together in a graph form. Unifying and contextualizing this information will lead to powerful new solutions that transform how organizations enforce security hygiene and dynamically manage their security posture.

     

Falcon Discover 2.0: The First Module Powered by Asset Graph

CrowdStrike Asset Graph will enable new Falcon modules and features built on top of it to define, monitor and explore the relationships among assets within an organization. The first Falcon module to use Asset Graph is Falcon Discover™, CrowdStrike’s security hygiene solution, which includes the following enhancements:

 

  • Newly enhanced dashboards, highly customizable filters and sharing options: IT teams can tailor their experience of Asset Graph’s map visualization and powerful search capabilities, all presented conveniently within the Falcon Discover console.

     

  • New third-party data integration with ServiceNow: By combining a ServiceNow integration with Asset Graph and Falcon Discover, IT teams gain another layer of asset visibility around devices in a single console, providing enhanced monitoring over unmanaged and unsupported assets.

Manage Risk by Thinking Like an Adversary

CrowdStrike has long advocated for an adversary-focused approach to security. This means staying ahead of shifting adversary tradecraft and tactics so you know how they'll come after you. It also means having deep visibility across your critical assets and technology environment to understand where they’ll come after you as well.

 

The introduction of Asset Graph will enable organizations to gain a much deeper understanding of their complete technology environment and how it interacts, more accurately assess the risk posture of their assets, and move to proactively adapt their security posture to defend against today’s adversaries without disrupting IT operations.

 

Additional Resources

Breaches Stop Here