Endpoint Security – Falcon Flight Control
Introduction
Many security tools lack the controls necessary to segment workflows and ensure that access is limited to just the relevant teams.
CrowdStrike’s Falcon Flight Control makes it easy for MSSPs and enterprises to organize and manage security at scale by allowing the environment to be logically segmented.
The segmentation allows for many use cases, such as an MSSP with many customers or a company that wishes to divide the administration of CrowdStrike by subsidiaries or geography.
Let’s take a look at how CrowdStrike handles configurations with a parent and child environments.
Walkthrough
When logged into the parent account or CID, here we can see all the detections across the entire estate.
The filter bar still allows us to use existing criteria to filter across all the environments, for example, by severity or technique, but we can also filter by the child environment as well.
For example, if we select Child 2, it’ll just show the detections for that environment.
Now if we change that to Child 1 in our filter, it’ll only show those detections associated with Child 1.
And clicking on the detection details will open it up in a new tab in the context of the child CID.
Policies can also be shared across the entire environment. Policies created at the parent level can be leveraged in the child environments, but policies created within a child CID are constrained to just that environment.
For example, here at the parent level, we can see a numbered policy and the default policy.
Now, when we take a look at the policies listed in the child CID, we can see the 2 policies from the parent CID, as well as 2 policies defined in just this child CID. Each child CID can have their own defined policies, but will still be able to use any policies defined at the parent level.
Going back to the Parent CID, let’s take a look at an event search.
Hunting and searching capabilities can be carried out either across all the environments or just within an individual child environment.
Here we’re doing a search at the parent level and it’ll search across all the events in the parent and child CIDs.
We can see that it’s providing results from both the Child 1 and Child 2 CIDs.
Falcon Flight Control also provides a robust set of controls that define CID groups and user groups enabling it to manage the access level that users have.
A CID group can be created to group together in a collection of CIDs which identify the CIDs that a user group will have access to.
After a CID group is created, a user group can be created and users can be added to the group.
Finally, let’s assign the CID group to the user group.
We can select the CID group and assign roles to these users within the defined CIDs.
We’ll just assign the Falcon Analyst role to these users.
These controls are very flexible and allow for granular assignment of roles to users in child CIDs.
Conclusion
Falcon Flight Control provides the controls necessary to streamline workflows for MSSP and enterprise environments. In addition to an easy to use interface to manage a segmented environment, APIs and reports are also available for additional flexibility and visibility.