Exposure Management – Identifying and Triaging Unmanaged Assets
Identifying and Triaging Unmanaged Assets
Summary
In this guide, you’ll learn the seamless integration and robust capabilities of Falcon Exposure Management and Falcon Fusion in identifying, triaging, and securing unmanaged assets within your IT infrastructure.
The Fusion of Intelligence and Automation
CrowdStrike’s integrated approach through Falcon Exposure Management and Falcon Fusion significantly elevates your security operations by:
– Minimizing the distraction of false positives and low-priority alerts, enabling your team to concentrate on genuine threats.
– Supplying rich intelligence for rapid, informed security decisions.
– Implementing orchestrated, automated responses to swiftly address unmanaged assets, thus reducing reaction times.
Navigating Through the Dashboard for Critical Asset Identification
Begin by reviewing the asset overview section. Here you will discover a count of assets lacking Falcon sensors, categorized as unmanaged.
Next, select the pink bar which represents all unmanaged assets.
Select the Asset classification filter and click Critical Infrastructure.
Assigning Criticality and Automating Triage
Upon identifying your Critical Infrastructure assets, marking them as ‘Critical’ through the asset criticality assignment empowers you to prioritize and automate their triage. This is where Falcon Fusion steps in, allowing the creation of workflows tailored to these critical assets.
Select all assets, click assign asset criticality, and choose Critical
Crafting a Fusion Workflow for Asset Management
Creating a Fusion workflow involves specifying conditions to ensure that the workflow is triggered by new, unmanaged, and unsupported assets:
- Entity Type: The workflow gets triggered by assets classified as ‘unmanaged’.
- Confidence Level: Only assets verified with high confidence to belong to your organization will initiate the workflow.
- Data Provider: Specify the source, such as ServiceNow, for a comprehensive approach to asset management.
Click the menu button within the Falcon console and select Fusion workflows. Next, select Create workflow.
Sequential Actions for Asset Management
Select Create workflow from scratch and set the workflow to an Event.
Next, set the trigger category to Asset Management which ensures that all new unmanaged and unsupported assets are identified.
Conditions
Condition 1: Entity Type
For this workflow, you must customize 3 conditions. For the first condition, the entity type must be equal to “unmanaged”.
Condition 2: Confidence
In addition, the confidence level should be equal to High to ensure that only unmanaged assets that belong to your organization trigger the workflow.
Condition 3: Data Provider
Lastly, the source or data provider for the unmanaged asset must be set. In this example, we will select ServiceNow and save the condition.
With your conditions set, the workflow progresses to recommend actions like sensor installation, detailing the process and ensuring the necessary information, including the Asset ID, is captured. Concluding this workflow with the creation of a ServiceNow Incident arms your analysts with actionable insights and detailed asset information.
Finalizing and Implementing the Workflow
Lastly, name your workflow.
After naming and activating the workflow, you’ve effectively set a proactive defense mechanism against unmanaged assets, significantly reducing potential security vulnerabilities.
Conclusion
Falcon Exposure Management and Falcon Fusion, through their intelligent integration, provide a robust defense against unmanaged assets. These tools not only streamline the detection of critical assets but also automate the response process, enhancing the efficiency and accuracy of your security operations. With Falcon Exposure Management, your security team is equipped with the insights and tools necessary to proactively secure your IT environment and respond to threats with confidence.